This quiz explores key concepts of role-based access control (RBAC) within Firebase, such as roles, permissions, security rules, and best practices for data security. Reinforce your understanding of how to structure user access and protect resources using custom roles and rule-based policies.
Which principle describes assigning different access privileges to users based on their assigned role, such as 'admin', 'editor', or 'viewer'?
Explanation: Role-Based Access Control (RBAC) organizes permissions around user roles and allows assigning specific capabilities to users. Time-Based Access Policy relates to access windows but does not involve roles. Static Key Authentication is about secret usage for access, not role assignments. Database Indexing deals with query performance rather than access privileges.
When adding role information to a user's token for access control, which Firebase feature allows you to set fields like 'admin' or 'moderator' on the user's ID token?
Explanation: Custom Claims allow you to include role-related attributes within a user's authentication token, facilitating access decisions based on roles. Realtime Triggers are for event handling, not token information. Cloud Messaging is for sending notifications, and Session Refresh relates to token renewal, not role management.
In a security rule, how can you check if an authenticated user has an 'admin' role using custom claims?
Explanation: The correct way to check for a custom claim is by using 'request.auth.token.admin == true' in the security rule, as this directly accesses the claim in the authenticated user's token. 'request.token.admin == 'yes'' is invalid syntax. 'user.admin exists' is not a valid path. 'claims.admin equals 1' incorrectly refers to a variable not present in security rules.
What is the access level for a new Firebase database if no security rules are set?
Explanation: By default, without security rules, the database is open and accessible to anyone, which is not secure for production. Access for only authenticated users is enabled when rules are set to require authentication. 'No one can access' only happens if rules explicitly deny access. 'Only the owner' refers to local file ownership, not database security.
Why is the principle of 'least privilege' important when assigning roles in your Firebase project?
Explanation: The 'least privilege' principle ensures users have only the permissions necessary for their tasks, minimizing risks. Granting all permissions defeats the purpose of secure access control. Preventing role assignment would stop legitimate use. Unlimited access is the opposite of restricting privileges.
If your project has 'admin', 'editor', and 'viewer' roles, with each having different permissions, what concept allows 'admin' to do everything that 'editor' can do, plus more?
Explanation: Role Hierarchy describes a structure where higher-level roles inherit permissions from lower-level ones, making it easier to manage access. Session Timeout is about user sessions, not permissions. Token Encryption refers to securing tokens, not roles. Data Replication manages data copies, unrelated to permissions.
What is a common method for assigning a user the 'moderator' role so that security rules can recognize this role?
Explanation: Assigning a role via custom claim in the user's token is secure and easily referenced in security rules. Public documents are unsafe for role information. Email subjects and URL parameters are not secure or recognized ways for role assignment in access control.
If you want to allow only users with the 'viewer' role to read data but not write, how should you configure your security rules?
Explanation: Giving 'read' permission based on the 'viewer' role and denying 'write' maintains proper access. Allowing both read and write for all users ignores role distinctions. Permitting 'write' for viewers is incorrect. Denying all access for users with roles removes legitimate access.
Which security rule pattern prevents unauthenticated users from accessing data by checking if the user is signed in?
Explanation: Checking 'request.auth != null' ensures only authenticated users can proceed, blocking guests. 'request.token.signedUser == true' is not standard syntax. 'data.isLoggedIn == true' refers to data, not authentication. 'allow: login' is not a valid security rule statement.
What is a recommended way to safely update user roles, such as adding or removing 'admin', in a production environment?
Explanation: A trusted server ensures that only authorized personnel or backend processes can update roles securely, reducing risk of tampering. Client-side JavaScript can be manipulated and is insecure. Emails are not a direct or secure way to manage roles. Hardcoding roles in mobile apps prevents dynamic role changes and weakens security.