[Feature] Union the effect of different roles

[GYWang1983]

Want to prioritize this issue? Try:

---

Is your feature request related to a problem? Please describe.
I cannot find the available built-in policy effects when a user has more then one roles with "deny override" policy

Your model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && keyMatch(r.act, p.act)

Your policy:

p, writer, data1, write, allow
p, reader, data1, *, allow
p, reader, data1, write, deny

g, alice, writer
g, alice, reader
g, bob, reader

Your request(s):

alice, data1, write ---> false (expected: true)
bob, data1, write ---> false (expected: false)

As the example above, user alice has both of writer and reader role. The usually expected result is: alice is allowed to write data1

Describe alternatives you've considered
Add two arguments to the function MergeEffects in Effector interface, one is the rmMap and the other one contains the matches information like this:

{
    effector.Allow: {
       subSet: { "writer", "reader" }
    },
    effector.Deny: {
       subSet: { "reader" }
    },
    effector.Indeterminate: {
       subSet: { }
    }
}

Then, I will be able to implement the MergeEffects by myself.

[casbin-bot]

@closetool @tangyang9464

[hsluoyz]

@tangyang9464

[tangyang9464]

@GYWang1983 I think it should be false. If your policy_effect is e = some(where (p.eft == allow)), it will be true.
For alice, data1, write, p, writer, data1, write, allow meets condition some(where (p.eft == allow)) but reader, data1, write, deny don't meet condition !some(where (p.eft == deny))

[GYWang1983]

@GYWang1983 I think it should be false. If your policy_effect is e = some(where (p.eft == allow)), it will be true.
For alice, data1, write, p, writer, data1, write, allow meets condition some(where (p.eft == allow)) but reader, data1, write, deny don't meet condition !some(where (p.eft == deny))

@tangyang9464 Thank you for reply.
If use e = some(where (p.eft == allow)) && !some(where (p.eft == deny)), alice, data1, write ---> false is correct, it's not a bug.
But the result is not meet my case. Alice has the reader and writer role of data1, of course she should be able to write something to data1.
So, I want to implement a new Effector for this case. But now, the arguments in MergeEffects function is not enough. The effects array not contains any subject information. Cloud we pass more information into this function?

[tangyang9464]

@GYWang1983 I’m confused, why do you assign two contradictory roles to alice. You allow her to write for role writer but at the same time not allow her to write for role reader？

p, writer, data1, write, allow
p, reader, data1, write, deny

[GYWang1983]

@tangyang9464 Because the policies are not contradictory in each role, writer role and reader role each can work fine. Usually people want to use writer + reader = allow to write and read. The permissions of two roles should be union rather than intersection. In RBAC system, when a role is bound, the user's permissions should not become less.

The situation in real system is much more complex. There are maybe hundreds roles and thousands policies which are managed by different teams, and the roles bound to user maybe inherits from super roles or user groups. When TeamC use the writer role created by TeamA and the read role created by TeamB, they are not able to find the contradiction between
the two roles.

[tangyang9464]

@GYWang1983 Sorry it took so long to reply. I probably know now that you want to customize effctor. But I want to know why some(where (p.eft == allow)) don't meet your needs, at least in your present example, it can meet your needs. Or can you give an example of the current policy effect not meeting the needs， That you need to customize？

[GYWang1983]

@tangyang9464 Thanks for reply.
In our case, the obj is like this {tenant_id}:{project_id}:{app_id}:{sub_object}，users could have a role to grant permissions to manage all app in one project besides some specified apps .

The model:

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act, eft

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && keyMatch(r.act, p.act)

The policies:

p, role1, tenant-a:prj-1:*:*, *, allow
p, role1, tenant-a:prj-1:app-root:*, *, deny

Cannot enumerate all apps in policies, because they are created in runtime.
So, we also need deny in effect

[tangyang9464]

@GYWang1983 Why don’t you add a line of policy in runtime when you create an app? Casbin supports adding policy. Your approach is to manually exclude some apps in effect, right?

[GYWang1983]

@tangyang9464 Nobody want to add a policy manually after creating an app. They expect the system to do it automatically. So we need another policy system to determine whether we need to add the policy automatically. And than, maybe we can use that system to check permission instead of casbin ... =.=!

[tangyang9464]

@GYWang1983 For the two parameters you want to add before, how is rmMap used? Maybe you want to use HasLink ? But unable to get r.sub here. For the latter, I can pass in the e.model["p"][pType].Policy (all policy), then You can get the corresponding policy for each line in effect array effects

It’s a bit difficult to describe, please tell me what I didn’t say clearly

[hsluoyz]

Closed as stale