Rules and patterns for implementing RBAC (Role-Based Access Control) in a Lutece 8 plugin. Entity permissions, ResourceIdService, plugin.xml declaration, JspBean authorization checks.
View on GitHubskills/lutece-rbac/SKILL.md
February 5, 2026
Select agents to install to:
npx add-skill https://github.com/lutece-platform/lutece-dev-plugin-claude/blob/main/skills/lutece-rbac/SKILL.md -a claude-code --skill lutece-rbacInstallation paths:
.claude/skills/lutece-rbac/# Lutece 8 RBAC Implementation
> Before implementing RBAC, consult `~/.lutece-references/lutece-form-plugin-forms/` — specifically `FormsResourceIdService.java`, `AbstractJspBean.java`, and `FormJspBean.java`.
## Architecture Overview
```
Entity (implements RBACResource)
↓ getResourceTypeCode() / getResourceId()
ResourceIdService (registers type + permissions)
↓ register() → ResourceTypeManager
plugin.xml (declares <rbac-resource-type-class>)
↓
RBACService.isAuthorized(type, id, permission, user)
↓ checks user roles against RBAC table
JspBean (enforces authorization)
```
## Step 1 — Entity Implements RBACResource
```java
import fr.paris.lutece.portal.service.rbac.RBACResource;
public class Entity implements RBACResource
{
public static final String RESOURCE_TYPE = "MYPLUGIN_ENTITY";
private int _nId;
@Override
public String getResourceTypeCode( )
{
return RESOURCE_TYPE;
}
@Override
public String getResourceId( )
{
return String.valueOf( _nId );
}
}
```
**Rules:**
- `RESOURCE_TYPE` is a unique constant — use `PLUGINNAME_ENTITYNAME` in uppercase
- `getResourceId()` returns the ID as a String
- The entity class must also have its normal fields, getters/setters
## Step 2 — ResourceIdService
```java
import fr.paris.lutece.portal.service.rbac.Permission;
import fr.paris.lutece.portal.service.rbac.ResourceIdService;
import fr.paris.lutece.portal.service.rbac.ResourceType;
import fr.paris.lutece.portal.service.rbac.ResourceTypeManager;
public class EntityResourceIdService extends ResourceIdService
{
public static final String PERMISSION_CREATE = "CREATE";
public static final String PERMISSION_MODIFY = "MODIFY";
public static final String PERMISSION_DELETE = "DELETE";
public static final String PERMISSION_VIEW = "VIEW";
private static final String PROPERTY_LABEL_RESOURCE_TYPE = "myplugin.permission.resourceType.entity.label";
private static final String PROPERTY_LABE