[Question] - How can I enforce hierarchy check for request to match both domain and tenant?

[sujit-baniya]

Want to prioritize this issue? Try:

---

What's your scenario? What do you want to achieve?
I've tried to build following model and policy where

• companyA has child companyB.
• I'm financePerson to companyA

I can make request to companyB's resource being on companyA. But I am also looking some ways to make request to companyB's resource being on companyB

Your model:

[request_definition]
r = user, domain, resource, action

[policy_definition]
p = user, domain, eft, resource, action

[role_definition]
g = _, _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.user, p.user, r.domain) && keyMatch2(r.resource, p.resource) && keyMatch2(r.action, p.action) && (g2(r.domain, p.domain) || keyMatch4(r.domain, p.domain))

Your policy:

p, financePerson, companyA, allow, /restrict, GET
p, financePerson, companyA, deny, /restrict, POST
p, financePerson, companyB, allow, /restricted, GET
g, sujit, financePerson, companyA
g2, companyA, companyB

Your request(s):

sujit, companyA, /restricted, GET ---> true (expected: true)
sujit, companyB, /restricted, GET ---> false (expected: true)

https://editor.casbin.org/#E7X7LBRDM

I would appreciate to find some help

[casbin-bot]

@tangyang9464 @JalinWang

[hsluoyz]

@sujit-baniya what's your question? What to expect and what you got?

[sujit-baniya]

How to Enforce the hierarchical permission for child company? I tried defining model as mentioned above and added sample policies.

As for policy, following should hold true

sujit, companyA, /restricted, GET ---> true (expected: true)
sujit, companyB, /restricted, GET ---> false (expected: true)

But it's not working as expected. How to fix model to achive the correct answer?