firecrawl-enterprise-rbac
Compare original and translation side by side
🇺🇸
Original
English🇨🇳
Translation
ChineseFireCrawl Enterprise RBAC
FireCrawl 企业版 RBAC
Overview
概述
Configure enterprise-grade access control for FireCrawl integrations.
为FireCrawl集成配置企业级访问控制。
Prerequisites
前提条件
- FireCrawl Enterprise tier subscription
- Identity Provider (IdP) with SAML/OIDC support
- Understanding of role-based access patterns
- Audit logging infrastructure
- 已订阅FireCrawl企业版
- 支持SAML/OIDC的身份提供商(IdP)
- 了解基于角色的访问模式
- 审计日志基础设施
Role Definitions
角色定义
| Role | Permissions | Use Case |
|---|---|---|
| Admin | Full access | Platform administrators |
| Developer | Read/write, no delete | Active development |
| Viewer | Read-only | Stakeholders, auditors |
| Service | API access only | Automated systems |
| 角色 | 权限 | 使用场景 |
|---|---|---|
| Admin | 完全访问权限 | 平台管理员 |
| Developer | 读写权限,无删除权限 | 活跃开发场景 |
| Viewer | 只读权限 | 利益相关者、审计人员 |
| Service | 仅API访问权限 | 自动化系统 |
Role Implementation
角色实现
typescript
enum FireCrawlRole {
Admin = 'admin',
Developer = 'developer',
Viewer = 'viewer',
Service = 'service',
}
interface FireCrawlPermissions {
read: boolean;
write: boolean;
delete: boolean;
admin: boolean;
}
const ROLE_PERMISSIONS: Record<FireCrawlRole, FireCrawlPermissions> = {
admin: { read: true, write: true, delete: true, admin: true },
developer: { read: true, write: true, delete: false, admin: false },
viewer: { read: true, write: false, delete: false, admin: false },
service: { read: true, write: true, delete: false, admin: false },
};
function checkPermission(
role: FireCrawlRole,
action: keyof FireCrawlPermissions
): boolean {
return ROLE_PERMISSIONS[role][action];
}typescript
enum FireCrawlRole {
Admin = 'admin',
Developer = 'developer',
Viewer = 'viewer',
Service = 'service',
}
interface FireCrawlPermissions {
read: boolean;
write: boolean;
delete: boolean;
admin: boolean;
}
const ROLE_PERMISSIONS: Record<FireCrawlRole, FireCrawlPermissions> = {
admin: { read: true, write: true, delete: true, admin: true },
developer: { read: true, write: true, delete: false, admin: false },
viewer: { read: true, write: false, delete: false, admin: false },
service: { read: true, write: true, delete: false, admin: false },
};
function checkPermission(
role: FireCrawlRole,
action: keyof FireCrawlPermissions
): boolean {
return ROLE_PERMISSIONS[role][action];
}SSO Integration
SSO集成
SAML Configuration
SAML配置
typescript
// FireCrawl SAML setup
const samlConfig = {
entryPoint: 'https://idp.company.com/saml/sso',
issuer: 'https://firecrawl.com/saml/metadata',
cert: process.env.SAML_CERT,
callbackUrl: 'https://app.yourcompany.com/auth/firecrawl/callback',
};
// Map IdP groups to FireCrawl roles
const groupRoleMapping: Record<string, FireCrawlRole> = {
'Engineering': FireCrawlRole.Developer,
'Platform-Admins': FireCrawlRole.Admin,
'Data-Team': FireCrawlRole.Viewer,
};typescript
// FireCrawl SAML setup
const samlConfig = {
entryPoint: 'https://idp.company.com/saml/sso',
issuer: 'https://firecrawl.com/saml/metadata',
cert: process.env.SAML_CERT,
callbackUrl: 'https://app.yourcompany.com/auth/firecrawl/callback',
};
// Map IdP groups to FireCrawl roles
const groupRoleMapping: Record<string, FireCrawlRole> = {
'Engineering': FireCrawlRole.Developer,
'Platform-Admins': FireCrawlRole.Admin,
'Data-Team': FireCrawlRole.Viewer,
};OAuth2/OIDC Integration
OAuth2/OIDC集成
typescript
import { OAuth2Client } from '@firecrawl/sdk';
const oauthClient = new OAuth2Client({
clientId: process.env.FIRECRAWL_OAUTH_CLIENT_ID!,
clientSecret: process.env.FIRECRAWL_OAUTH_CLIENT_SECRET!,
redirectUri: 'https://app.yourcompany.com/auth/firecrawl/callback',
scopes: ['read', 'write'],
});typescript
import { OAuth2Client } from '@firecrawl/sdk';
const oauthClient = new OAuth2Client({
clientId: process.env.FIRECRAWL_OAUTH_CLIENT_ID!,
clientSecret: process.env.FIRECRAWL_OAUTH_CLIENT_SECRET!,
redirectUri: 'https://app.yourcompany.com/auth/firecrawl/callback',
scopes: ['read', 'write'],
});Organization Management
组织管理
typescript
interface FireCrawlOrganization {
id: string;
name: string;
ssoEnabled: boolean;
enforceSso: boolean;
allowedDomains: string[];
defaultRole: FireCrawlRole;
}
async function createOrganization(
config: FireCrawlOrganization
): Promise<void> {
await firecrawlClient.organizations.create({
...config,
settings: {
sso: {
enabled: config.ssoEnabled,
enforced: config.enforceSso,
domains: config.allowedDomains,
},
},
});
}typescript
interface FireCrawlOrganization {
id: string;
name: string;
ssoEnabled: boolean;
enforceSso: boolean;
allowedDomains: string[];
defaultRole: FireCrawlRole;
}
async function createOrganization(
config: FireCrawlOrganization
): Promise<void> {
await firecrawlClient.organizations.create({
...config,
settings: {
sso: {
enabled: config.ssoEnabled,
enforced: config.enforceSso,
domains: config.allowedDomains,
},
},
});
}Access Control Middleware
访问控制中间件
typescript
function requireFireCrawlPermission(
requiredPermission: keyof FireCrawlPermissions
) {
return async (req: Request, res: Response, next: NextFunction) => {
const user = req.user as { firecrawlRole: FireCrawlRole };
if (!checkPermission(user.firecrawlRole, requiredPermission)) {
return res.status(403).json({
error: 'Forbidden',
message: `Missing permission: ${requiredPermission}`,
});
}
next();
};
}
// Usage
app.delete('/firecrawl/resource/:id',
requireFireCrawlPermission('delete'),
deleteResourceHandler
);typescript
function requireFireCrawlPermission(
requiredPermission: keyof FireCrawlPermissions
) {
return async (req: Request, res: Response, next: NextFunction) => {
const user = req.user as { firecrawlRole: FireCrawlRole };
if (!checkPermission(user.firecrawlRole, requiredPermission)) {
return res.status(403).json({
error: 'Forbidden',
message: `Missing permission: ${requiredPermission}`,
});
}
next();
};
}
// Usage
app.delete('/firecrawl/resource/:id',
requireFireCrawlPermission('delete'),
deleteResourceHandler
);Audit Trail
审计追踪
typescript
interface FireCrawlAuditEntry {
timestamp: Date;
userId: string;
role: FireCrawlRole;
action: string;
resource: string;
success: boolean;
ipAddress: string;
}
async function logFireCrawlAccess(entry: FireCrawlAuditEntry): Promise<void> {
await auditDb.insert(entry);
// Alert on suspicious activity
if (entry.action === 'delete' && !entry.success) {
await alertOnSuspiciousActivity(entry);
}
}typescript
interface FireCrawlAuditEntry {
timestamp: Date;
userId: string;
role: FireCrawlRole;
action: string;
resource: string;
success: boolean;
ipAddress: string;
}
async function logFireCrawlAccess(entry: FireCrawlAuditEntry): Promise<void> {
await auditDb.insert(entry);
// Alert on suspicious activity
if (entry.action === 'delete' && !entry.success) {
await alertOnSuspiciousActivity(entry);
}
}Instructions
操作步骤
Step 1: Define Roles
步骤1:定义角色
Map organizational roles to FireCrawl permissions.
将组织角色映射到FireCrawl权限。
Step 2: Configure SSO
步骤2:配置SSO
Set up SAML or OIDC integration with your IdP.
与你的身份提供商(IdP)设置SAML或OIDC集成。
Step 3: Implement Middleware
步骤3:实现中间件
Add permission checks to API endpoints.
为API端点添加权限检查。
Step 4: Enable Audit Logging
步骤4:启用审计日志
Track all access for compliance.
追踪所有访问行为以满足合规要求。
Output
输出结果
- Role definitions implemented
- SSO integration configured
- Permission middleware active
- Audit trail enabled
- 已实现角色定义
- 已配置SSO集成
- 已激活权限中间件
- 已启用审计追踪
Error Handling
错误处理
| Issue | Cause | Solution |
|---|---|---|
| SSO login fails | Wrong callback URL | Verify IdP config |
| Permission denied | Missing role mapping | Update group mappings |
| Token expired | Short TTL | Refresh token logic |
| Audit gaps | Async logging failed | Check log pipeline |
| 问题 | 原因 | 解决方案 |
|---|---|---|
| SSO登录失败 | 回调URL错误 | 验证IdP配置 |
| 权限拒绝 | 缺少角色映射 | 更新组映射关系 |
| 令牌过期 | 令牌TTL过短 | 实现令牌刷新逻辑 |
| 审计日志缺失 | 异步日志记录失败 | 检查日志管道 |
Examples
示例
Quick Permission Check
快速权限检查
typescript
if (!checkPermission(user.role, 'write')) {
throw new ForbiddenError('Write permission required');
}typescript
if (!checkPermission(user.role, 'write')) {
throw new ForbiddenError('Write permission required');
}Resources
参考资源
Next Steps
后续步骤
For major migrations, see .
firecrawl-migration-deep-dive如需进行大规模迁移,请参考。
firecrawl-migration-deep-dive