Check out a free preview of the full Firebase Fundamentals course:
The "Role Based Access Control" Lesson is part of the full, Firebase Fundamentals course featured in this preview video. Here's what you'd learn in this lesson:

David walks through examples of role-based access control Security Rules to determine a user's role and what that role has access to.

Get Unlimited Access Now

Transcript from the "Role Based Access Control" Lesson

[00:00:00]
>> Role Based Access Control allows you to say, okay, only allow this action if this user is an admin or if they're a collaborator, or if they're this type of user. And within Firestore you can actually look up data within security rules and then make a decision based upon that.

[00:00:18] So, let's say that there was a new feature that was added to the expenses and they said hey, every expense has a budget ID, which means that it is associated with a specific budget and multiple users can collaborate on budgets. In that case, what we can do is I have to always copy and paste this cuz this is such a long string, is we can go and get data.

[00:00:44] And so let's say we wanted to only allow matching on budgets, budget ID, so you can only modify a budget if you are a collaborator. So allow read if is collaborator. Well, one of the things you can do is you can write a function called isCollaborator and then we're gonna paste in this really big string.

[00:01:16] So this is a get method that says get data at this path in the database. Firestore requires you to have a fully qualified path in order to get it. So that includes what is referred to as a path type in Firestore. And then, getting the request that resource.aut.uid using the syntax like an interpolate that user, and let's say it was referring to admins.

[00:01:40] An admins document that listed out all the users who were admins, I could say is this user in admin? And so I can say if this user.role = admin, then I know that they're an admin or if their role is, I can actually say role in admin or collaborator.

[00:02:08] And this allows me to know whether that person has a specific role. And so without having to do any more logic within your app yourself, you can actually enforce it entire base of roles within security roles. So you look up that user do they have the role because the security roles they're allowed to look up data at any path.

[00:02:30] And says yes, this admin exists, yes, they have the role of admin, I will allow this to occur. And you can even using hierarchy say within the budgets of this budget ID it has specific collaborators. So you can even scope each one's role down to a specific budget.

[00:02:49] So their role in one budget might have a different role in another. And so you'll see that a lot in project based stuff. So we're not going to get into these because it's more of an advanced use case, the code does exist in the final use case, as you can see how it's written, cuz I really wanna dive into Cloud functions.