[Question] Users/Tenants/Roles/Objects/Actions how to model?

[iGrog]

Want to prioritize this issue? Try:

What's your scenario? What do you want to achieve?

I have users, tenants, roles, objects and actions like this:

users:

- user_1
- user_2
- ...

tenants:

- tenant_1
- tenant_2
- ...

roles:

• ordersManager (must have access to objects:actions like orders:(view|create|update|delete) in own tenant)
• ordersAssistant (must have access to one object -> orders:view in own tenant
• accountant (access to invoices:(view, create, update, delete) in own tenant
• admin (access to all objects:actions in own tenant)
• superadmin (access to all object:actions in any tenants)

How bindings will look like:

• user_1 is ordersManager in tenant_1
• user_2 is accountant in tenant_1
• user_3 is admin in tenant_2
• user_4 is superadmin

additionally, any explicit rule can be applied to any user/tenant like:
user_5 in tenant_1 has access to orders:list.

I tried to model policy for all this, but without any luck

p, superadmin, *, *, *
p, ordersAssistant, *, orders, list

g, user:1, ordersAssistant, tenant:1	

#roles?
g, admin, superadmin
g, accountant, admin
g, ordersAssistant, admin
g, ordersManager, admin
g, ordersAssistant, ordersManager

but I don’t understand at all how to write all these roles, objects and actions in policy definition?
could someone help me?

[casbin-bot]

@tangyang9464 @JalinWang

[hsluoyz]

@iGrog plz input a non-empty issue title

[PokIsemaine]

@iGrog It looks like your model is not simple, since I don't know your situation completely, I can only offer some suggestions.

suggestions

step1: You don't have to immediately pursue the simplest policy to meet your needs.

You can try to use the simplest mechanism to implement step by step, and then consider using some advanced mechanisms to simplify the policy.

step2: Before writing your policy, you should first determine the model you use.

According to your situation, I suggest you use RBAC with Domains and RBAC with Pattern, here is the reference document:
https://casbin.org/docs/rbac-with-domains.
https://casbin.org/docs/rbac-with-pattern
If you can't directly write the corresponding model, you can consider drawing a diagram like this to help you clarify your thinking

If you need some examples, you can check out the tests in the github repository, which has a wealth of examples, Follow the example in the with Domain section：https://github.com/casbin/casbin/blob/master/rbac_api_test.go .

In addition, you can find the model file and policy file used in the test in the example directory
https://github.com/casbin/casbin/tree/master/examples

step3：Write simple (possibly redundant or inelegant) but correct policy files

In this step, you can use the online editor provided by casbin to check the correctness of syntax and verify your solution through test cases.

https://casbin.org/editor

step4：Try simplifying your policy files with advanced mechanisms

• Super Admin：Super Admin is the administrator of the whole system, we can use it in models like RBAC, ABAC and RBAC with domains：https://casbin.org/docs/superadmin
• Functions in matchers：You can try to use casbin's built-in functions or custom functions in the matcher to simplify the matching.
  https://casbin.org/docs/function
  https://casbin.org/docs/rbac-with-pattern

In addition, it seems that the role and user inheritance are used in the policy example you gave, so there may be implicit roles. Although casbin allows such a mechanism, I personally think that it may not be easy to maintain, and you can try to avoid it.

It is also possible that this is because you have not clearly distinguished the concepts of users and roles. Generally speaking, for g = _, _ the first _ should be users, such as user_1, user_2..... The second _ should be roles such as ordersManager , accountant

Of course you may also need the domain in g=_,_,_ to limit their scope

If you need further help

Please provide the model file of your design, which can help me make better suggestions and troubleshoot problems

hope this helps you

[hsluoyz]

@iGrog

[jayasuryard31]

It seems like you are trying to model a multi-tenant system with different roles and permissions for users. Casbin can definitely help you achieve this by providing a flexible policy management API.

To implement the scenario you described, you could define a Casbin policy model that includes:

Users as the first column, representing the user identity
Tenants as the second column, representing the tenant identity
Roles as the third column, representing the role of the user in the tenant
Objects as the fourth column, representing the resource that the user wants to access
Actions as the fifth column, representing the operation that the user wants to perform on the resource
Here is an example of a Casbin policy that defines access control rules for the scenario you described:

Allow super-admin to access any object and action in any tenant

p, superadmin, *, *, *, *

Allow admin to access any object and action in their own tenant

p, admin, tenant_1, *, *, *
p, admin, tenant_2, *, *, *

Allow ordersManager to access orders: view, orders: create, orders: update, and orders: delete in their own tenant

p, ordersManager, tenant_1, orders, view
p, ordersManager, tenant_1, orders, create
p, ordersManager, tenant_1, orders, update
p, ordersManager, tenant_1, orders, delete

Allow order assistant to access orders: view in their own tenant

p, ordersAssistant, tenant_1, orders, view

Allow accountant to access invoices: view, invoices: create, invoices: update, and invoices: delete in their own tenant

p, accountant, tenant_1, invoices, view
p, accountant, tenant_1, invoices, create
p, accountant, tenant_1, invoices, update
p, accountant, tenant_1, invoices, delete

Allow user_5 in tenant_1 to access orders: list

p, user_5, tenant_1, orders, list

This policy allows super admins to access any object and action in any tenant, and admins to access any object and action in their own tenant. It also defines access control rules for ordersManager, ordersAssistant, and accountant, based on their roles and the resources they need to access. Finally, it includes an explicit rule that allows user_5 in tenant_1 to access orders: list.

You can load this policy into Casbin and use it to enforce access control rules in your application. Additionally, you can use Casbin's API to manage policies dynamically, allowing you to add or remove access control rules as needed.

[hsluoyz]

@jayasuryard31 thanks for the detailed answer!

Closed as resolved