I'm trying to create a Casbin RBAC + ACL model. The business requirement is as follows:
We have an Organization, and within Organization you can create Folders. There are special folders like Workspace folder. Basically, the folders are a way to limit access to certain resources, resources that you "put" in those folders. If you have acess to a folder, you immediately have access to all of its children, unless explicitly overridden by the folder owner. Example:
Now, we also have features and permissions. A role is a set of permissions. Features examples: users, computers, scripts. Permissions examples: edit user, delete user, publish script.
So now, I'm trying to bring this all together to come up with the correct Casbin model. From my understanding, I need to define roles and their permissions, folders hierarchy, which users have access to each folder, which roles a user has, and which resources are inside a folder. In that way, when a request comes asking if the user "John" can publish script "Untitled", the model would look in which folder "Untitled" is, and then see whether "John" has the permission to that folder and also has the permission to publish scripts (if "John" has "bot developer" role).
Roles and their permissions
p, role:workspaceAdmin, feature:user, edit
p, role:workspaceAdmin, feature:user, delete
p, role:workspaceAdmin, feature:workspace, edit
p, role:botDeveloper, feature:script, publish
So, the workspace admin role can edit or delete users, can edit the workspace. The bot developer role can publish script.
Folders hierarchy
g2, folder:watson, script:untitled
g2, folder:xpto, folder:doc
g2, folder:xpto, folder:infra
g2, folder:xpto, folder:watson
g2, folder:watson, folder:projectX
g2, folder:watson, folder:projectY
g2, folder:infra, folder:project66
g2, folder:doc, folder:marcela
Which users have access to each folder
g, user:joba, folder:watson
Which roles a user has
g, user:joba, role:botDeveloper
Which resources are inside a folder
g2, folder:watson, script:untitled
With that in place, the following request returns false, where I expected to be true: user:joba, script:untitled, publish. Because user "joba" has permission to "publish" "feature" "script", has access to folder "watson", and "script" named "untitled" belongs to that folder.
Model
[request_definition]
r = sub, obj, action
[policy_definition]
p = sub, obj, action
[role_definition]
g = _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
[matchers]
m = g(r.sub, p.sub) && g2(r.obj, p.obj) && r.act == p.act
Policy
p, role:workspaceAdmin, feature:user, edit
p, role:workspaceAdmin, feature:user, delete
p, role:workspaceAdmin, feature:workspace, edit
p, role:botDeveloper, feature:script, publish
g2, folder:watson, script:untitled
g2, folder:xpto, folder:doc
g2, folder:xpto, folder:infra
g2, folder:xpto, folder:watson
g2, folder:watson, folder:projectX
g2, folder:watson, folder:projectY
g2, folder:infra, folder:project66
g2, folder:doc, folder:marcela
g, user:joba, folder:watson
g2, folder:watson, script:untitled
Request
user:joba, script:untitled, publish
you didn't describe relationship between
user&role,script&featureAnd the model file
actionshould beactor changer.actandp.actintor.actionandp.actionI recommand you to read docs, thanks