Does anyone have any RBAC/CBAC best practices?
I really want to keep our model as close to Supabase/Postgres as possible, I'd prefer the user role(s) to be attributed in the auth table (so I can add policies without referencing the JWT or additional tables), but that doesn't seem possible.
I've tried setting up Postgres roles with inheritance but that command "inherit" doesnt actually work and it will limit the user to a single role.
4 Replies
It is possible to do that but it is not wise, supabase recommendation is not editing the table (supabase regularly changes that table, so, some things might go wrong).
One option is using the
raw_user_meta_data.
Outside that, the better option is just creating additional tables, it still conforms with Postgres model.
You have the...
- roles table (list all roles)
- user_roles table (which user has which role)
- user_projects table (multi-tenant: who belongs to which project/tenant
You can also have permissions table depending on how complex your application is. Then together with RLS you are setDo not use raw_user_meta_data as the user can change it. You can use raw_app_meta_data.
I don't know if you can even add a column to an auth schema table anymore but if you did the auth server would error as it checks for exact column matches as a type check.
Using a separate table is best.
Thanks guys, we are currently using
raw_app_meta_data for a project but finding performance challenges with the RLS because of it. So I think we will revert to a table approach instead. Using a different scheme for these tables aloneRLS performance for JWT should be same or faster than for a table.
Did you follow the RLS tuning guides?
https://supabase.com/docs/guides/database/postgres/row-level-security#rls-performance-recommendations