Add resource-scoped RBAC support for isolated role assignments

[Copilot]

Users need Azure RBAC-like functionality where the same role can be assigned to different users scoped to specific resources, preventing permission leakage. Currently, assigning the same role to multiple users grants them identical access to all resources.

Solution

Leverage Casbin's existing 3-parameter grouping (g = _, _, _) to scope roles by resource:

// Policy definitions remain the same
p, reader, resource1, read
p, reader, resource2, read

// Role assignments now include resource scope as third parameter
g, user1, reader, resource1  // user1: reader for resource1 only
g, user2, reader, resource2  // user2: reader for resource2 only

Model matcher:

[role_definition]
g = _, _, _

[matchers]
m = g(r.sub, p.sub, r.obj) && r.obj == p.obj && r.act == p.act

Multi-tenant variant

For tenant-scoped resources, concatenate scope in grouping:

p, reader, tenant1, resource1, read

g, user1, reader, tenant1::resource1

// Matcher combines tenant+resource for scope
m = g(r.sub, p.sub, r.tenant + "::" + r.obj) && r.tenant == p.tenant && r.obj == p.obj && r.act == p.act

Changes

• Examples: Added 3 model/policy pairs demonstrating simple, alternative, and multi-tenant resource-scoped RBAC patterns
• Tests: Added TestRBACWithResourceScope, TestRBACWithResourceScopeAndTenant, TestRBACWithResourceScopeMultitenancy
• Documentation: RBAC_WITH_RESOURCE_SCOPE.md with usage patterns and Azure RBAC comparison
• Demo: Executable example program rbac_with_resource_scope_demo.go

API compatibility

Standard RBAC APIs work by passing scope as domain parameter:

e.GetRolesForUser("user1", "resource1")           // ["reader"]
e.GetUsersForRole("reader", "resource1")          // ["user1"]
e.AddRoleForUser("user3", "writer", "resource1")  // adds scoped role

No core library changes required—uses existing multi-domain role manager capabilities.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Casbin Rbac with Resource scope</issue_title>
<issue_description>@rahulsharma0525

Discussed in #1586

^{Originally posted by rahulsharma0525 November 20, 2025}
Hello Community

I am trying to implement an internal authz system for an internal product. It should support multitenancy because the product may expand as an external solution.

my scenario is role reuse with different scopes within same tenant

example:

user1 --> reader-> resource1-->tenant1
user2 --> reader-> resource2-->tenant1

How to I implement this in casbin. I am aware casbin supports Rbac but if I just follow the rbac model I cannot assign role without affecting user1 scope. In the below example because I assigned user2 reader role and if I need to access resource2 I will have to increase reader role scope which also increases scope for user1. How do I keep them independent and still reuse role. This is pretty much the model used in Azure Rbac.

p, reader1, tenant1, resource1, read
p, reader1, tenant1, resource2, read

g user1, reader
g user2, reader

Thanks
Rahul

</issue_description>

Comments on the Issue (you are @copilot in this section)

• Fixes Casbin Rbac with Resource scope #1589

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}