A production-ready Role-Based Access Control (RBAC) Admin Dashboard built with Next.js, TypeScript, Prisma, and PostgreSQL, featuring secure authentication, fine-grained permission management, and an AI-assisted admin command interface.
This project demonstrates real-world access control design, backend validation, frontend enforcement, and deployment-grade practices.
Imagine a school:
- Students can only enter their classroom
- Teachers can access all classrooms
- The Principal can access everything
Instead of giving everyone individual keys, we assign roles, and roles decide what actions are allowed.
Thatβs RBAC:
- Users β Roles β Permissions
- Easy to manage
- Hard to break
- Safe by default
π Live Application: https://rbac-admin-tool.vercel.app
Deployed on Vercel with a Neon PostgreSQL database. The demo showcases full RBAC functionality including authentication, role & permission management, and the AI command assistant.
- π Secure JWT authentication with httpOnly cookies
- 𧩠Modular RBAC system (Users, Roles, Permissions)
- π€ AI Command Box for natural-language admin actions
- π‘οΈ Backend + frontend safety checks (no trust in UI)
- π§ Edge-case handling (self-admin lockout prevention)
- π Cloud-ready PostgreSQL (Neon)
- β‘ Deployed on Vercel (Production)
- Next.js 16 (App Router)
- React 19
- TypeScript (Strict Mode)
- TailwindCSS
- Next.js API Routes
- Prisma ORM v7
- PostgreSQL (Neon)
- JWT authentication
- httpOnly cookies
- bcrypt password hashing
- Middleware-based route protection
- Vercel deployment
- Environment-based configuration
- Prisma migrations
RBAC-admin-tool/
βββ app/
β βββ api/
β β βββ auth/ # Authentication endpoints
β β βββ permissions/ # Permission CRUD
β β βββ roles/ # Role CRUD + mappings
β β βββ users/ # User management
β βββ dashboard/ # Protected dashboard pages
β βββ page.tsx # Landing/login page
βββ lib/
β βββ prisma.ts # Prisma client singleton
βββ prisma/
β βββ schema.prisma # Database schema
β βββ migrations/ # Database migrations
βββ middleware.ts # Auth middleware
-
Users never receive permissions directly
-
Permissions are only assigned to roles
-
Users gain access only via roles
-
Admin role protections:
- Automatically receives new permissions
- Cannot remove its own admin access
- Cannot be deleted accidentally
Admins can manage RBAC using natural language, safely.
Create permission users.export
Assign users.read permission to Editor role
Assign Admin role to admin@rbac.com
Delete permission reports.test
- No ambiguous commands
- No implicit role creation
- No Admin role modification
- Allowlisted actions only
- Safe failure (no side effects on uncertainty)
If the AI is unsure β no action is taken
- User logs in with email + password
- Password verified using bcrypt
- JWT generated and stored in httpOnly cookie
- Middleware validates JWT for protected routes
- Backend re-checks authorization on every request
UI checks are never trusted alone
Email: admin@rbac.com
Password: admin123
Role: Admin
Demo credentials are for testing and portfolio use only
POST /api/auth/signupPOST /api/auth/loginGET /api/auth/mePOST /api/auth/logout
GET /api/permissionsPOST /api/permissionsPUT /api/permissions/[id]DELETE /api/permissions/[id]
GET /api/rolesPOST /api/rolesPUT /api/roles/[id]DELETE /api/roles/[id]POST /api/roles/[id]/permissions
GET /api/usersPOST /api/users/[id]/rolesGET /api/users/[id]/rolesDELETE /api/users/[id]
POST /api/ai-command
model User {
id String @id @default(uuid())
email String @unique
password String
created_at DateTime @default(now())
user_roles UserRole[]
}
model Role {
id String @id @default(uuid())
name String @unique
created_at DateTime @default(now())
user_roles UserRole[]
role_permissions RolePermission[]
}
model Permission {
id String @id @default(uuid())
name String @unique
description String?
created_at DateTime @default(now())
role_permissions RolePermission[]
}
model UserRole {
user_id String
role_id String
user User @relation(fields: [user_id], references: [id], onDelete: Cascade)
role Role @relation(fields: [role_id], references: [id], onDelete: Cascade)
@@id([user_id, role_id])
}
model RolePermission {
role_id String
permission_id String
role Role @relation(fields: [role_id], references: [id], onDelete: Cascade)
permission Permission @relation(fields: [permission_id], references: [id], onDelete: Cascade)
@@id([role_id, permission_id])
}git clone https://github.com/yourusername/RBAC-admin-tool.git
cd RBAC-admin-toolnpm installCreate a .env file in the root directory:
DATABASE_URL="postgresql://username:password@host:5432/dbname"
JWT_SECRET="your-strong-secret"
GEMINI_API_KEY="your_gemini_api_key"npx prisma generate
npx prisma migrate devnpm run devOpen π http://localhost:3000
- Push code to GitHub
- Import repo into Vercel
- Add environment variables in Vercel Dashboard
- Deploy π
βοΈ Auto-deploy enabled on every push to main
- bcrypt password hashing
- JWT authentication with httpOnly cookies
- Backend authorization enforcement
- Middleware route protection
- Prisma ORM (SQL injection safe)
- Admin self-lockout prevention
- AI command allowlisting
- Environment-based secrets
Backend never trusts frontend input
- Prevent deleting last Admin
- Prevent Admin removing own Admin role
- Prevent duplicate role/permission assignment
- Case-insensitive role & permission checks
- Safe rollback on partial failures
- AI command ambiguity β no mutation
This project was built incrementally, following a structured, real-world development workflow.
All phases listed below are fully completed.
- β PostgreSQL setup using Neon
- β Prisma schema design (Users, Roles, Permissions, mappings)
- β Database migrations
- β Environment configuration
- β Signup API with bcrypt password hashing
- β Login API with JWT-based authentication
- β httpOnly cookie implementation
- β Authentication middleware for protected routes
- β API testing using PowerShell scripts
- β Permission CRUD APIs
- β Role CRUD APIs
- β Role β Permission mapping
- β User β Role assignment
- β Comprehensive API testing
- β Login & Signup pages with form validation
- β Dashboard layout with sidebar navigation
- β Permissions management with CRUD modals
- β Roles management with permission checkbox assignment
- β Users management with role assignment
- β Protected routes
- β Logout functionality
- β Clean, consistent UI design (no gradients)
- β AI command input interface
- β Natural language intent parsing
- β
Command β RBAC action mapping, such as:
Create a role called ManagerAssign users.read permission to Editor roleRemove admin role from user@email.com
- β
/api/ai-commandendpoint - β Real-time command execution feedback
- β Strict safety rules (allowlisting & safe failure)
- β Centralized error handling
- β Loading states & user feedback
- β Responsive UI improvements
- β Deployment on Vercel
- β Production testing with real data
This is not CRUD demo code.
This project demonstrates:
- Proper RBAC architecture
- Secure authentication patterns
- Backend-first authorization
- TypeScript + Prisma correctness
- Production debugging & deployment discipline
- Responsible AI usage in admin systems
Exactly what real engineering teams expect.
MIT License
Feel free to fork, learn, and extend π