Casbin = way to authorization
A place for Casbin developers and users
现在注册
已注册用户请  登录
主题样式选择
默认主题样式 ✅
知乎主题样式 
Fromate
Casbin官方博客站  ›  Casbin

How do I create inheritance roles in a domain RBAC policy?

  •  
  •  
    Fromate · 4个月前 · 80 次点击 
    这是一个创建于 126 天前的主题,其中的信息可能已经有所发展或是发生改变。

    Hi everybody,

    I have the issue that I want to create simple Casbin rules sets for thousands of users and systems. I have different user roles, viewer and admin. The higher levels shall include (inherit) the lower level permissions.

    Model

    [request_definition]

    r = sub, dom, obj, act

    [policy_definition]

    p = priority, sub, dom, obj, act, eft

    [role_definition]

    g = _, _, _

    g2 = _, _

    g3 = _, _

    [policy_effect]

    e = priority(p.eft) || deny

    [matchers]

    m = g(r.sub, p.sub, r.dom) && (g2(r.sub, p.sub)) && (r.dom == p.dom || p.dom == '*') && (g3(r.obj, p.obj)) && r.act == p.act

    Policy

    g, acc1, viewer, sys1

    g, acc1, admin, sys2

    g2, admin, viewer

    g3, data1, readonly

    g3, data2, readonly

    g3, data3, readwrite

    p, 5, viewer, *, readonly, read, allow

    p, 5, viewer, *, readwrite, read, allow

    p, 5, admin, *, readwrite, write, allow

    Request

    acc1, sys1, data1, read // expected to be true, but returns false

    acc1, sys2, data1, read // expected to be true, but returns false

    When I remove the g2 part from the matcher, the idea starts to work. But I have to duplicate either a p or a g policy, so I cannot inherit the user roles any longer:

    • g, acc1, viewer, sys2
    • p, 5, admin, *, readonly, read, allow

    What am I doing wrong?

    Regards, Fromate

    80 次点击  ∙  0 人收藏  
      Tweet Weibo 忽略主题 
    1 条回复   2022-01-15 09:22:19 +08:00
    hsluoyz
    hsluoyz4个月前

    please ask in github

    关于   ·   FAQ   ·   API   ·   我们的愿景   ·   广告投放   ·   感谢   ·   实用小工具   ·   0 人在线   最高记录 30   ·     选择语言  ·     选择编辑器
    创意工作者们的社区
    World is powered by code
    VERSION: ccc6af3 · 10ms · UTC 18:41 · PVG 02:41 · LAX 11:41 · JFK 14:41
    ♥ Do have faith in what you're doing