New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feature] Union the effect of different roles #876
Comments
@closetool @tangyang9464 |
@GYWang1983 I think it should be false. If your |
@tangyang9464 Thank you for reply. |
@GYWang1983 I’m confused, why do you assign two contradictory roles to alice. You allow her to write for role writer but at the same time not allow her to write for role reader?
|
@tangyang9464 Because the policies are not contradictory in each role, writer role and reader role each can work fine. Usually people want to use The situation in real system is much more complex. There are maybe hundreds roles and thousands policies which are managed by different teams, and the roles bound to user maybe inherits from super roles or user groups. When TeamC use the writer role created by TeamA and the read role created by TeamB, they are not able to find the contradiction between |
@GYWang1983 Sorry it took so long to reply. I probably know now that you want to customize effctor. But I want to know why |
@tangyang9464 Thanks for reply. The model: [request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act, eft
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act) The policies:
Cannot enumerate all apps in policies, because they are created in runtime. |
@GYWang1983 Why don’t you add a line of policy in runtime when you create an app? Casbin supports adding policy. Your approach is to manually exclude some apps in effect, right? |
@tangyang9464 Nobody want to add a policy manually after creating an app. They expect the system to do it automatically. So we need another policy system to determine whether we need to add the policy automatically. And than, maybe we can use that system to check permission instead of casbin ... =.=! |
@GYWang1983 For the two parameters you want to add before, how is It’s a bit difficult to describe, please tell me what I didn’t say clearly |
Closed as stale |
Want to prioritize this issue? Try:
Is your feature request related to a problem? Please describe.
I cannot find the available built-in policy effects when a user has more then one roles with "deny override" policy
Your model:
Your policy:
Your request(s):
As the example above, user
alice
has both ofwriter
andreader
role. The usually expected result is:alice
is allowed to write data1Describe alternatives you've considered
Add two arguments to the function
MergeEffects
inEffector
interface, one is thermMap
and the other one contains the matches information like this:Then, I will be able to implement the
MergeEffects
by myself.The text was updated successfully, but these errors were encountered: