Improve aces control documentation

fzaninotto · fzaninotto · commit a41f30138fba · 2025-10-01T18:48:46.000+02:00
diff --git a/docs_headless/src/content/docs/canAccessWithPermissions.md b/docs_headless/src/content/docs/canAccessWithPermissions.md
@@ -2,13 +2,76 @@
 title: "canAccessWithPermissions"
 ---
 
-**Tip**: `ra-core-ee` is part of the [React-Admin Enterprise Edition](https://marmelab.com/ra-enterprise/), and hosted in a private npm registry. You need to subscribe to one of the Enterprise Edition plans to access this package.
+`canAccessWithPermissions` is a helper function that facilitates the implementation of [Access Control](./Permissions.md#access-control) policies based on an underlying list of user roles and permissions.
 
-`canAccessWithPermissions` is a helper function that facilitates the `authProvider.canAccess()` method implementation:
+It is a builder block to implement the `authProvider.canAccess()` method,  which is called by ra-core to check whether the current user has the right to perform a given action on a given resource or record.
+
+This feature requires a valid [Enterprise Edition](https://marmelab.com/ra-enterprise/) subscription.
+
+## Installation
+
+```bash
+npm install --save @react-admin/ra-core-ee
+# or
+yarn add @react-admin/ra-core-ee
+```
 
 ## Usage
 
-The user roles and permissions should be returned upon login. The `authProvider` should store the permissions in memory, or in localStorage. This allows `authProvider.canAccess()` to read the permissions from localStorage.
+`canAccessWithPermissions` is a pure function that you can call from your `authProvider.canAccess()` implementation.
+
+```tsx
+import { canAccessWithPermissions } from '@react-admin/ra-core-ee';
+
+const authProvider = {
+    // ...
+    canAccess: async ({ action, resource, record }) => {    
+        const permissions = myGetPermissionsFunction();
+        return canAccessWithPermissions({
+            permissions,
+            action,
+            resource,
+            record,
+        });
+    }
+    // ...
+};
+```
+
+The `permissions` parameter must be an array of permissions. A *permission* is an object that represents access to a subset of the application. It is defined by a `resource` (usually a noun) and an `action` (usually a verb), with sometimes an additional `record`.
+
+Here are a few examples of permissions:
+
+- `{ action: "*", resource: "*" }`: allow everything
+- `{ action: "read", resource: "*" }`: allow read actions on all resources
+- `{ action: "read", resource: ["companies", "people"] }`: allow read actions on a subset of resources
+- `{ action: ["read", "create", "edit", "export"], resource: "companies" }`: allow all actions except delete on companies
+- `{ action: ["write"], resource: "game.score", record: { "id": "123" } }`: allow write action on the score of the game with id 123
+
+:::tip
+When the `record` field is omitted, the permission is valid for all records.
+:::
+
+In most cases, the permissions are derived from user roles, which are fetched at login and stored in memory or in localStorage. Check the [`getPermissionsFromRoles`](./getPermissionsFromRoles.md) function to merge the permissions from multiple roles into a single flat array of permissions.
+
+## Parameters
+
+This function takes an object as argument with the following fields:
+
+| Name | Optional | Type | Description
+| - | - | - | - |
+| `permissions` | Required | `Array<Permission>` | An array of permissions for the current user
+| `action` | Required | `string` | The action for which to check users has the execution right
+| `resource` | Required | `string` | The resource for which to check users has the execution right
+| `record` | Required | `string` | The record for which to check users has the execution right
+
+`canAccessWithPermissions` expects the `permissions` to be a flat array of permissions. It is your responsibility to fetch these permissions (usually during login). If the permissions are spread into several role definitions, you can merge them into a single array using the [`getPermissionsFromRoles`](#getpermissionsfromroles) function.
+
+## Building RBAC
+
+The following example shows how to implement Role-based Access Control (RBAC) in `authProvider.canAccess()` using `canAccessWithPermissions` and `getPermissionsFromRoles`. The role permissions are defined in the code, and the user roles are returned by the authentication endpoint. Additional user permissions can also be returned by the authentication endpoint.
+
+The `authProvider` stores the permissions in `localStorage`, so that returning users can access their permissions without having to log in again.
 
 ```tsx
 // in roleDefinitions.ts
@@ -62,16 +125,3 @@ const authProvider = {
     // ...
 };
 ```
-
-## Parameters
-
-This function takes an object as argument with the following fields:
-
-| Name | Optional | Type | Description
-| - | - | - | - |
-| `permissions` | Required | `Array<Permission>` | An array of permissions for the current user
-| `action` | Required | `string` | The action for which to check users has the execution right
-| `resource` | Required | `string` | The resource for which to check users has the execution right
-| `record` | Required | `string` | The record for which to check users has the execution right
-
-`canAccessWithPermissions` expects the `permissions` to be a flat array of permissions. It is your responsibility to fetch these permissions (usually during login). If the permissions are spread into several role definitions, you can merge them into a single array using the [`getPermissionsFromRoles`](#getpermissionsfromroles) function.
diff --git a/docs_headless/src/content/docs/getPermissionsFromRoles.md b/docs_headless/src/content/docs/getPermissionsFromRoles.md
@@ -2,9 +2,25 @@
 title: "getPermissionsFromRoles"
 ---
 
-**Tip**: `ra-core-ee` is part of the [React-Admin Enterprise Edition](https://marmelab.com/ra-enterprise/), and hosted in a private npm registry. You need to subscribe to one of the Enterprise Edition plans to access this package.
+`getPermissionsFromRoles` returns an array of user permissions based on a role definition, a list of roles, and a list of user permissions. It merges the permissions defined in `roleDefinitions` for the current user's roles (`userRoles`) with the extra `userPermissions`.
 
-This function returns an array of user permissions based on a role definition, a list of roles, and a list of user permissions. It merges the permissions defined in `roleDefinitions` for the current user's roles (`userRoles`) with the extra `userPermissions`.
+It is a builder block to implement the `authProvider.canAccess()` method,  which is called by ra-core to check whether the current user has the right to perform a given action on a given resource or record.
+
+This feature requires a valid [Enterprise Edition](https://marmelab.com/ra-enterprise/) subscription.
+
+## Installation
+
+```bash
+npm install --save @react-admin/ra-core-ee
+# or
+yarn add @react-admin/ra-core-ee
+```
+
+## Usage
+
+`getPermissionsFromRoles` takes a configuration object as argument containing the role definitions, the user roles, and the user permissions.
+
+It returns an array of permissions that can be passed to [`canAccessWithPermissions`](./canAccessWithPermissions.md).
 
 ```ts
 import { getPermissionsFromRoles } from '@react-admin/ra-core-ee';
@@ -41,9 +57,21 @@ const permissions = getPermissionsFromRoles({
 // ];
 ```
 
-## Usage
+## Parameters
 
-The user roles and permissions should be returned upon login. The `authProvider` should store the permissions in memory, or in localStorage. This allows `authProvider.canAccess()` to read the permissions from localStorage.
+This function takes an object as argument with the following fields:
+
+| Name | Optional | Type | Description
+| - | - | - | - |
+| `roleDefinitions` | Required | `Record<string, Permission>` | A dictionary containing the role definition for each role
+| `userRoles` | Optional | `Array<string>` | An array of roles (admin, reader...) for the current user
+| `userPermissions` | Optional | `Array<Permission>` | An array of permissions for the current user
+
+## Building RBAC
+
+The following example shows how to implement Role-based Access Control (RBAC) in `authProvider.canAccess()` using `canAccessWithPermissions` and `getPermissionsFromRoles`. The role permissions are defined in the code, and the user roles are returned by the authentication endpoint. Additional user permissions can also be returned by the authentication endpoint.
+
+The `authProvider` stores the permissions in `localStorage`, so that returning users can access their permissions without having to log in again.
 
 ```tsx
 // in roleDefinitions.ts
@@ -97,14 +125,3 @@ const authProvider = {
     // ...
 };
 ```
-
-## Parameters
-
-This function takes an object as argument with the following fields:
-
-| Name | Optional | Type | Description
-| - | - | - | - |
-| `roleDefinitions` | Required | `Record<string, Permission>` | A dictionary containing the role definition for each role
-| `userRoles` | Optional | `Array<string>` | An array of roles (admin, reader...) for the current user
-| `userPermissions` | Optional | `Array<Permission>` | An array of permissions for the current user
-
