You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
[Question] I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other
#1218
Closed
eouw0o83hf opened this issue
Mar 27, 2023
· 3 comments
What's your scenario? What do you want to achieve?
I'm trying to setup a basic REST authorization scheme where roles are configured globally across the application, but users bound to different domains have access to their subsets of the global dataset. I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other.
For instance, I'm working on widgets.
Users with role reader can GET a widget
Users with role writer can PUT to update a widget
Users bound to domain d-1 can access widgets with IDs [w-1, w-2]
Users bound to domain d-2 can access widgets with IDs [w-3, w-4]
For instance, if alice is a reader bound to domain d-1, she can GET/api/widgets/w-2, but she CANNOT GET/api/widgets/w-3
@eouw0o83hf Your scenario, model, policy, and requests are well-defined for your use case. The model separates the roles/permissions and domain/resource hierarchy using two different group rules: g for user-role-domain mapping and g2 for domain-widget mapping.
I've made a few minor changes to your model to ensure the correct role and domain inheritance:
If you face any issues with the provided model or policy, please provide more details about your Casbin setup, including any relevant code snippets, adapter configuration, or policy data.
hsluoyz
changed the title
[Question]
[Question] I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other
Mar 29, 2023
What's your scenario? What do you want to achieve?
I'm trying to setup a basic REST authorization scheme where roles are configured globally across the application, but users bound to different domains have access to their subsets of the global dataset. I want to figure out how to separately configure roles/permissions and the domain/resource hierarchy so that they don't bleed into each other.
For instance, I'm working on
widgets
.reader
canGET
a widgetwriter
canPUT
to update a widgetd-1
can accesswidgets
with IDs[w-1, w-2]
d-2
can accesswidgets
with IDs[w-3, w-4]
For instance, if
alice
is areader
bound to domaind-1
, she canGET
/api/widgets/w-2
, but she CANNOTGET
/api/widgets/w-3
Your model:
Your policy:
Your request(s):
The text was updated successfully, but these errors were encountered: