# RBAC Authorization Policy

:::tip{title="Custom Policy Example"}

Zuplo is extensible, so we don't have a built-in policy for RBAC Authorization, instead we've a template here that shows you how you can use your superpower (code) to achieve your goals. To learn more about custom policies [see the documentation](/policies/custom-code-inbound).

:::

RBAC policies can be built many ways depending on your requirements. This
example shows how to perform a simple check of whether or not the current user
is a member of a set of allowed roles.

```ts title="modules/my-policy.ts"
import { HttpProblems, ZuploContext, ZuploRequest } from "@zuplo/runtime";

interface PolicyOptions {
  allowedRoles: string[];
}

export default async function (
  request: ZuploRequest,
  context: ZuploContext,
  options: PolicyOptions,
  policyName: string,
) {
  // Check that an authenticated user is set
  // NOTE: This policy requires an authentication policy to run before
  if (!request.user) {
    context.log.error(
      "User isn't authenticated. A authorization policy must come before the RBAC policy.",
    );
    return HttpProblems.unauthorized(request, context);
  }

  // Check that the user has roles
  if (!request.user.data.roles) {
    context.log.error("The user isn't assigned any roles.");
    return HttpProblems.unauthorized(request, context);
  }

  // Check that the user has one of the allowed roles
  if (
    !options.allowedRoles.some((allowedRole) =>
      request.user?.data.roles.includes(allowedRole),
    )
  ) {
    context.log.error(
      `The user '${request.user.sub}' isn't authorized to perform this action.`,
    );
    return HttpProblems.forbidden(request, context);
  }

  // If they made it here, they are authorized
  return request;
}
```

## Configuration

The example below shows how to configure a custom code policy in the 'policies.json' document that utilizes the above example policy code.

```json title="config/policies.json"
{
  "name": "my-rbac-policy-inbound-policy",
  "policyType": "rbac-policy-inbound",
  "handler": {
    "export": "default",
    "module": "$import(./modules/YOUR_MODULE)",
    "options": {
      "allowedRoles": ["admin", "editor"]
    }
  }
}
```

### Policy Configuration

- `name` <code className="text-green-600">&lt;string&gt;</code> - The name of your policy instance. This is used as a reference in your routes.
- `policyType` <code className="text-green-600">&lt;string&gt;</code> - The identifier of the policy. This is used by the Zuplo UI. Value should be `rbac-policy-inbound`.
- `handler.export` <code className="text-green-600">&lt;string&gt;</code> - The name of the exported type. Value should be `default`.
- `handler.module` <code className="text-green-600">&lt;string&gt;</code> - The module containing the policy. Value should be `$import(./modules/YOUR_MODULE)`.
- `handler.options` <code className="text-green-600">&lt;object&gt;</code> - The options for this policy. [See Policy Options](#policy-options) below.

### Policy Options

The options for this policy are specified below. All properties are optional unless specifically marked as required.

- `allowedRoles` <code className="text-green-600">&lt;string[]&gt;</code> - The roles allowed to access the resource Defaults to `[]`.

## Using the Policy

Read more about [how policies work](/articles/policies)