Role-based access control can be configured to protect specific paths. If rbac is configured without any auth provider, RBAC is ignored to avoid lockouts.
Copy code Copied
[rbac]
enabled = true
default_roles = ["reader"]
user_roles = { "alice@example.com" = ["admin"], "bob" = ["editor"] }
role_users = { "admin" = ["alice@example.com"], "editor" = ["bob"] }
[[rbac.rules]]
pattern = "^/admin"
roles = ["admin"]
[[rbac.rules]]
pattern = "^/private"
roles = ["admin", "editor"]
Notes:
If auth_required = false, only the RBAC-protected paths require login.
If auth_required = true (default when any auth is configured), all routes require login.
If both user_roles and role_users are provided, roles are unioned at runtime.