Role-Based Access Control (RBAC)
Roles
AliQuest defines two roles based on project requirements:
| Role | Description |
|---|---|
admin |
Maintainer — full system access |
researcher |
Researcher — limited read and request access |
Roles will be assigned in Keycloak and passed to the frontend via JWT token claims.
Permissions Matrix
| Feature | Researcher | Admin |
|---|---|---|
| View reagent catalogue | ✅ | ✅ |
| View project details | ✅ | ✅ |
| Add / Edit / Delete reagent | ❌ | ✅ |
| Add / Edit / Delete project | ❌ | ✅ |
| View all users | ❌ | ✅ |
| Access settings | ❌ | ✅ |
| Manage inventory | ❌ | ✅ |
| View audit logs | ❌ | ✅ |
Implementation
Protected Routes
Every admin-only page is wrapped with ProtectedRoute:
| Route | Access |
|---|---|
/users |
Admin only |
/settings |
Admin only |
/reagent/add |
Admin only |
/reagent/edit/:id |
Admin only |
/project/add |
Admin only |
/project/edit/:id |
Admin only |
Security Logging
Every unauthorized access attempt is logged to the browser console:
Planned: When backend audit log API is ready, these events will be forwarded to the server-side audit log for full traceability.
Current State
Current: Security events are currently logged to the browser console during development only. Logs are not persisted and are only visible in browser developer tools.
In Progress: Keycloak is not yet integrated. Mock auth is used during development via
app/lib/auth.ts. Only this file needs to change when Keycloak is ready.
Known Limitations
Frontend RBAC controls what the user sees only. Backend enforces the same rules via Keycloak JWT on every API request. Frontend RBAC is a defence-in-depth layer, not the sole enforcement point.