This project showcases an advanced fine-grained authorization demo in a banking system using the Permit.io Authorization as a Service product.
The application is written in Next.js and uses Permit.io's Decision Engine to enforce fine-grained authorization policies. The application also uses Stytch for user authentication and JSONBin.io to store external data for location-based authorization.
You can experience the demo live at https://mesa-verde.up.railway.app/.
- Multi-Tenancy Hierarchical Role-Based Access Control (RBAC): When a new user created they are assigned to a tenant and a role within that tenant, such as Account Owner or Read Only Member.
- Secure Collaboration: Users can manage beneficiaries and account members using Permit.io's user management components.
- Dynamic UI Feature Toggling: The user interface components vary based on the user's role and account ownership status.
- Fine-Grained Wire Transfer Permissions: Wire transfers are authorized based on multiple factors flow, including user roles, relationships, user location, and transaction limits.
- Use External Data for Authorization: The system uses external data sources to determine the user's location and apply location-based authorization.
- Feedback Loop of Authentication and Authorization: Users who are not authorized for a specific action can leverage their permissions by strengthening their authentication.
- Transaction Approval Flow: Account owners can approve wire transfers made by other users.
- Fine-Grained Relationship-Based Access Control (ReBAC): Users gain access to transactions through their relationship with the particular account and transaction.
- Access Requests: Users can request elevated access to specific accounts via ready-made access request components.
To learn more about the authorization models of this application, Read the Docs
For further reading, you can also check the following blogs:
- What Really Happens When The Bank’s Server Authorizes Your Wire Transfer Request? (TBD)
- The Feedback Loop of Authentication and Authorization (TBD)
- How to Add Authorization to Stytch Authentication (TBD)
- Fine-Grained Authorization with Multi-Tenancy RBAC (TBD)
To run a local version of the application, follow the steps below:
First, you need to have the following tools installed:
- Node.js
- Docker
- Terraform
- ngrok - to expose the local server to the internet for access request webhooks
Then, you need to create a (free) account with the following:
- Stytch - to authenticate users and ensure strong authentication with OTP
- Permit.io - to manage fine-grained authorization and access control
- To run the project locally, it is recommended to have a fresh Permit environment without any configured policies. To create a new environment, follow the instructions here
- JSONBin.io - to store the external data for location-based authorization
- Clone the repository:
git clone git@github.com:permitio/mesa-verde-banking-demo.git
- Run the following commands to install the dependencies:
cd mesa-verde-banking-demo npm install
- Copy the
.env.example
file to.env
:cp .env.example .env
- Fill in the environment variables in the
.env
file with the values from your Stytch, Permit.io, and JSONBin.io accounts.
-
To configure the initial Authorization schema in Permit, use the following terraform commands that will apply them in your newly created Permit environment:
npm run setup
-
After running the command, you should see the following Policy configured in the Permit Policy Editor:
To simply run the application, just use the following command that will start the Next.js server and run all the necessary services in Docker:
docker-compose up --build
At this point, you can just visit the browser in your ngrok URL and open a new account to experience the application live.
If you find this demo helpful or have any questions, feel free to reach out to us on our Slack Community, where 1000s of developers are discussing fine-grained authorization and access control.