[Question] I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other

[eouw0o83hf]

What's your scenario? What do you want to achieve?
I'm trying to setup a basic REST authorization scheme where roles are configured globally across the application, but users bound to different domains have access to their subsets of the global dataset. I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other.

For instance, I'm working on widgets.

• Users with role reader can GET a widget
• Users with role writer can PUT to update a widget
• Users bound to domain d-1 can access widgets with IDs [w-1, w-2]
• Users bound to domain d-2 can access widgets with IDs [w-3, w-4]

For instance, if alice is a reader bound to domain d-1, she can GET /api/widgets/w-2, but she CANNOT GET /api/widgets/w-3

Your model:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && g2(r.dom, p.obj) && r.obj == p.obj && r.act == p.act

Your policy:

p, reader, /api/widgets/:id, GET
p, writer, /api/widgets/:id, PUT

# domains -> widget ownership mapping
g2, w-1, d-1
g2, w-2, d-1
g2, w-3, d-2
g2, w-4, d-2

# user -> role/domain mapping
g, alice, reader, d-1
g, bob, writer, d-2

Your request(s):

alice, d-1, /api/widgets/w-1, GET --> expected true
alice, d-1, /api/widgets/w-2, PUT --> expected false
alice, d-1, /api/widgets/w-3, GET --> expected false

bob, d-2, /api/widgets/w-4, PUT --> expected true
bob, d-2, /api/widgets/w-1, GET --> expected false

[casbin-bot]

@tangyang9464 @JalinWang

[hsluoyz]

@eouw0o83hf Your scenario, model, policy, and requests are well-defined for your use case. The model separates the roles/permissions and domain/resource hierarchy using two different group rules: g for user-role-domain mapping and g2 for domain-widget mapping.

I've made a few minor changes to your model to ensure the correct role and domain inheritance:

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && g2(p.obj, r.dom) && r.obj == p.obj && r.act == p.act

In the [matchers] section, I've replaced g2(r.dom, p.obj) with g2(p.obj, r.dom) to ensure the proper domain inheritance.

Now, based on your model, policy, and requests, you should get the expected results:

alice, d-1, /api/widgets/w-1, GET --> expected true
alice, d-1, /api/widgets/w-2, PUT --> expected false
alice, d-1, /api/widgets/w-3, GET --> expected false

bob, d-2, /api/widgets/w-4, PUT --> expected true
bob, d-2, /api/widgets/w-1, GET --> expected false

If you face any issues with the provided model or policy, please provide more details about your Casbin setup, including any relevant code snippets, adapter configuration, or policy data.

[hsluoyz]

Closed as resolved