Casbin = way to authorizationA place for Casbin developers and users
Sign Up NowFor Existing Member Sign In
Choose theme
Default ✅
v2ex-zhihu-theme
How do I create inheritance roles in a domain RBAC policy?
Fromate · 3 years ago · 106 hitsThis is a topic created 1075 days ago, the information in it may have changed.
Hi everybody,
I have the issue that I want to create simple Casbin rules sets for thousands of users and systems. I have different user roles, viewer and admin. The higher levels shall include (inherit) the lower level permissions.
Model
[request_definition]
r = sub, dom, obj, act
[policy_definition]
p = priority, sub, dom, obj, act, eft
[role_definition]
g = _, _, _
g2 = _, _
g3 = _, _
[policy_effect]
e = priority(p.eft) || deny
[matchers]
m = g(r.sub, p.sub, r.dom) && (g2(r.sub, p.sub)) && (r.dom == p.dom || p.dom == '*') && (g3(r.obj, p.obj)) && r.act == p.act
Policy
g, acc1, viewer, sys1
g, acc1, admin, sys2
g2, admin, viewer
g3, data1, readonly
g3, data2, readonly
g3, data3, readwrite
p, 5, viewer, *, readonly, read, allow
p, 5, viewer, *, readwrite, read, allow
p, 5, admin, *, readwrite, write, allow
Request
acc1, sys1, data1, read // expected to be true, but returns false
acc1, sys2, data1, read // expected to be true, but returns false
When I remove the g2 part from the matcher, the idea starts to work. But I have to duplicate either a p or a g policy, so I cannot inherit the user roles any longer:
- g, acc1, viewer, sys2
- p, 5, admin, *, readonly, read, allow
What am I doing wrong?
Regards, Fromate
About · FAQ · API · Mission · Advertise · Thanks · Tools · 20 Online Highest 40 · 
Select Language · 
Select EditorCommunity of CreatorsWorld is powered by codeVERSION: 2c477f2 · 22ms · UTC 16:52 · PVG 00:52 · LAX 09:52 · JFK 12:52
♥ Do have faith in what you're doing.
Select Language · Select EditorCommunity of CreatorsWorld is powered by codeVERSION: 2c477f2 · 22ms · UTC 16:52 · PVG 00:52 · LAX 09:52 · JFK 12:52♥ Do have faith in what you're doing.