[Question]I don't know how to implement my matchers.

[Zacama]

Want to prioritize this issue? Try:

---

What's your scenario? What do you want to achieve?
I am using ABAC models and the policies has two priority(not the priority model) level: medium and high. I don't how to modify this matcher to achieve that when both strategies of priority levels are matched, discard the medium policies and use the high policies to calculate the final result. And If policies with only one priority level are matched, then none of the policies will be discarded.

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = priority, sub, obj, act, eft

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = p.sub in r.sub.IDs && r.obj.ID == p.obj && r.act == p.act

Your policy:

p, medium, 111, data1, write, deny
p, high, 1114, data1, write, allow
p, high, 1113, data1, write, deny

Your request(s):

{IDs: [111, 1114, 1113]}, data1, write---> false (expected: false)

The matched strategy should be the following two
p, high, 1114, data1, write, allow
p, high, 1113, data1, write, deny

[casbin-bot]

@tangyang9464 @JalinWang

[JalinWang]

The matcher can't support priority.
One possible (not sole) way: You may switch to priority model and turn high/medium to numbers.

[policy_effect]
e = priority(p.eft) || deny

[Zacama]

Thank you for your reply。 But the priority model will only select a matching strategy, but in fact I need to obtain all matching results of the same priority, and comprehensively calculate bysome(where (p.eft == allow)) && !some(where (p.eft == deny))

[Zacama]

@JalinWang I don't know if I understand it right. The priority model can only match one policy, even if multiple policies have the same priority. But I need to get the result by combining multiple policies with the same priority.

[hsluoyz]

@JalinWang

[hsluoyz]

@Zacama see: https://casbin.io/docs/data-permissions

[Zacama]

@hsluoyz Thank you. I'll read and try it.

[DavidLetGo]

@Zacama I am following your issue.
Does the web link from @hsluoyz solve your issue?

If the issue is solved, please ignore below comments.
I am not sure what your requirement is. Could you please clarify it?
From your request, {IDs: [111, 1114, 1113]} are multiple users. So I guessed you may want casbin to batch process multiple users's requests. Is that right?
{IDs: [111, 1114, 1113]}, data1, write---> false (expected: false)

I also tried your model, policy and request in casbin online editor. It failed with "Cannot use 'in' operator to search for '111' in false".
https://casbin.org/editor/

[Zacama]

@DavidLetGo Hello DavidLetGo, thank you for your attention. I haven't looked into it carefully as I have other things to do. But it may not seem to work because I'm using ABAC instead of RBAC. The reason why there are multiple ids in a query is because the subject of the policy can be a department, not just a person, so the policy that needs to be hit when querying is the subject's id of the person or the id of all the departments he belongs to.
As for my model, policy and request, it has another problem. Actually, Go code should be used.

package main

import (
	"fmt"
	"github.com/casbin/casbin/v2"
)

type subject struct {
	IDs []string
}

func main() {
	e, err := casbin.NewEnforcer("model.conf", "policy.csv")
	if err != nil {
		panic(err)
	}
	ok, err := e.Enforce(subject{IDs: []string{"111", "1114", "1113"}}, "data1", "write")
	if err != nil {
		panic(err)
	}
	fmt.Println(ok)
}

But when I execute this program casbin returns an error:
panic: Value '[111 1114 1113]' cannot be used with the comparator 'in', it is not a number

[DavidLetGo]

please try e.BatchEnforce
results, err := e.BatchEnforce([][]interface{}{{"111", "data1", "write"},{"1114", "data1", "write"}, {"1113", "data1", "write"}})

[Zacama]

@DavidLetGo Hello DavidLetGo, thank you. While this allows for multiple computations at the same time, it loses the priority of the policy. If only the following two strategies are hit：

p, medium, 111, data1, write, deny
p, high, 1114, data1, write, allow

In the end, it should be allow, not deny because when the result of the hit contains both medium and high-level strategies, the medium strategy should be discarded. Apparently BatchEnforce can't do this. And this moves part of the calculation into the code, the model are actually incomplete.

[hsluoyz]

@Zacama BatchEnforce() will also iterate on all policy rules, so priority still works. BatchEnforce() just try to do multiple Enforce() calls in a parallel way.