What I learnt about Access Control

Sherry Hsu
3 min readMay 23, 2021


After taking Wesbos’ Advanced React course, I got a better idea on how to configure the user Access Control ! Here is what I learnt with examples based on the KeystoneJS server.

Authentication VS Authorisation

Authentication — checks if the user is signed in.

Authorisation — checks if user has the permission to perform certain actions.

What does the structure look like ?

The Key Piece! => Session!

In the main KeystoneJS configuration, the Session passes the user details such as id , email, along with the request.

In KeystoneJS schema definition, all permission/ rule functions for configuring CRUD access receive session as an input. Using the session, the permission/ rule functions can have the user info and decide whether to let user do this action!

Schema access controls are set by Rules and Permissions

Like in a RPG game…

I find it easier to relate the 4 things used to set up access control to a game.

The Role is like a helmet or protective gear. It can have special capabilities (permissions) attached, like [x] can unlock the red door.

The User (players) can wear different protective gears. Multiple people in the team may wear the same iron helmet and have the same permission to [x] can unlock the red door.

Sometimes, the Chosen One or The One, does not need any special gear to have the permission! That is dictated by the Rules.

Putting everything together

  • Role is another Schema type especially used for assigning a set of permissions to users
  • In KeystoneJS, for Roles, we can create an admin UI with a checkbox list of permissions which we can enable for different Roles.
  • In Session, we can expose the permissions that a user has so that graphQL queries can receive the permission info of this user. See line 84
  • The Rules, are made of permissions and the session data so that we can add more flexibility in access controls. Not only can we allow specific users to have the access, we can also give more granularity in what they can access! For instance, in this example, the canReadProducts rule returns a Keystone query — for users without specific permissions granted, if they are the owner, they can see all products. Otherwise, they can only see available products
return {      
OR: [{ user: { id: session.itemId } }, { status: 'AVAILABLE' }],

More Info



Sherry Hsu

A software engineer passionate about learning and growth