# Access Control (/docs/plugins/access-control)





The RBAC plugin adds flow-level access control. It depends on the auth plugin — users must be authenticated before RBAC can check their permissions.

## Installation [#installation]

<Tabs items="['pnpm', 'npm', 'yarn', 'bun']">
  <Tab value="pnpm">
    ```bash
    pnpm add @flowlib/rbac
    ```
  </Tab>

  <Tab value="npm">
    ```bash
    npm install @flowlib/rbac
    ```
  </Tab>

  <Tab value="yarn">
    ```bash
    yarn add @flowlib/rbac
    ```
  </Tab>

  <Tab value="bun">
    ```bash
    bun add @flowlib/rbac
    ```
  </Tab>
</Tabs>

## Setup [#setup]

Add it after the auth plugin in your config:

```ts title="flowlib.config.ts"
import { auth } from '@flowlib/user-auth';
import { rbac } from '@flowlib/rbac';

export const flowlibConfig = defineConfig({
  // ...
  plugins: [
    auth({
      /* ... */
    }),
    rbac(),
  ],
});
```

Plugin order matters: auth resolves the session first, then RBAC checks permissions.

Regenerate the schema to create the `flow_access` table:

```bash
npx flowlib-cli generate
npx flowlib-cli migrate --push
```

## How it works [#how-it-works]

The RBAC plugin introduces **flow-level access roles**. Each user can be assigned a role on each flow:

| Role     | Permissions                                    |
| -------- | ---------------------------------------------- |
| `owner`  | Full access — edit, run, delete, manage access |
| `editor` | Edit and run the flow                          |
| `viewer` | View the flow and its runs                     |

The `onAuthorize` hook checks whether the requesting user has the required role for the action they're attempting (e.g., `flow:read`, `flow-run:create`, `flow:delete`). Global admins bypass RBAC checks.

## Frontend components [#frontend-components]

The plugin contributes UI elements to the editor:

* **Share button** — in the flow editor header, opens a dialog to manage access
* **Flow Access Panel** — a tab in the editor panel showing who has access
* **Access management page** — a full page listing all flow access rules
* **Sidebar item** — navigation link to the access management page

These are registered as frontend plugin contributions and render automatically when the RBAC plugin is active.

## API endpoints [#api-endpoints]

| Endpoint                                     | Method | Description                  |
| -------------------------------------------- | ------ | ---------------------------- |
| `/plugins/rbac/flows/:flowId/access`         | GET    | List access rules for a flow |
| `/plugins/rbac/flows/:flowId/access`         | POST   | Grant access to a user       |
| `/plugins/rbac/flows/:flowId/access/:userId` | PUT    | Update a user's role         |
| `/plugins/rbac/flows/:flowId/access/:userId` | DELETE | Remove a user's access       |