New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement cross-domain role inheritance: g, admin, developer, domain1, domain2 #493
Comments
@rrasulzade Please upgrade latest version then read the https://casbin.org/docs/en/rbac#use-pattern-matching-in-rbac. |
thanks @nodece yes, I'm aware of the new domain pattern matching feature and that's how I'm using
But my question isn't about modelling the given policy example above. It's related to cross-domain access. The challenge I'm facing is how to assign external roles to members of |
@rrasulzade Currently, Casbin does not support inheritance relationships between domains, This feature may require adding the new model syntax and needs to be discussed. maybe yuo can try using |
@rrasulzade we can use |
@hsluoyz I introduced a term [request_definition]
r = sub, dom, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)
|
@closetool |
@gaessaki has funded $45.00 to this issue.
|
When will this feature be released |
@closetool @tangyang9464 plz work on this |
I have talked about this problem a couple of times. However, I think almost the best solution comes from incorrect policy configuration:
Where incorrect lines are Now, if we query this configuration with following:
which is actually what we almost want. However, user always needs to query from the domain which he/she is an admin and try to query domain resource. However, I am unsure if this method is corrupt otherwise. The benefits are:
This is the feature that needs to be implemented. It's the defacto way of how these kinds of policies are usually used. Domain hierarchy is quite pointless otherwise if it does not mean anything. I think every other way would require much more maintenance. |
Now that I have thought about it more, I think the original idea of having "partner" domains is flawed. If you want to have links in between domains, those should be done through domain hierarchy (i.e.
|
@gaessaki has cancelled funding for this issue.(Cancelled amount: $45.00) See it on IssueHunt |
Hi there,
I'm building an RBAC system with domains. There are some constraints: Users are admins associated with permissions in an organization. Each organization can have multiple partner organizations. Once a partnership is established, admin users in both organizations will need to have permission to access the resources of the partner organization. The desired behaviour is to give permissions to existing admin users in
orgA
to access the childorgB
domain.For example, let's say Alice and Eve have
super_admin
roles inorgA
.OrgB
is a sub-organization oforgA
. In this scenario, how can I givedeveloper
role to Alice and Eve to accessorgB
data in the most efficient way?I'm trying not to introduce new rules explicitly for Alice and Eve. Because if orgA has dozens of admins and sub-organizations then it'll cause an overhead to assign new permission to each admin for each child organization. Also if any of the admins decide to delete their account, it'll be an expensive operation to clean up all policy entries for those users. So I'm trying to minimize user to policy mapping in casbin rules database.
IssueHunt Summary
Backers (Total: $0.00)
Become a backer now!
Or submit a pull request to get the deposits!
Tips
The text was updated successfully, but these errors were encountered: