0

I need to write a casbin config to implement user roles and nested resources (objects) in a node.js application.

For users RBAC works well, propagating allowed rules from roles down to users.

For resources (objects) I need a different policy: If obj X in in group Y and Y is in group Z, user must have ALLOW access to X AND Y AND Z. In other words, object and object groups apply additional restrictions on top of their parents.

At the same time, if a user has DENY access on X, no parent (Y or Z) ALLOW rules apply. This is easily implemented with RBAC's

[policy_effect]
e = !some(where (p.eft == deny))

[matchers]
m = g(r.sub, p.sub) ...

Do I need custom matchers? Really need help to get started on this task.

Anton
  • 455
  • 6
  • 12
  • Already replied to your GitHub issue: https://github.com/casbin/casbin/issues/716 – hsluoyz Mar 02 '21 at 17:04
  • Unfortunately, the reply at GitHub does not provide a viable solution to the problem. Combining subjects into a long string so that it can be parsed back and validated with regexp is definitely a no-no performance-wise. Even more, the GitHub issue is closed which indicated the casbin team is not interested in the discussion. So the question remains. – Anton Mar 05 '21 at 06:41
  • isSubPath(arg1, arg2) is just something simply like strings.HasPrefix(arg1, arg2), it's very performant and includes no regex at all. We usually close stale issues, I opened it again now. – hsluoyz Mar 05 '21 at 16:43

0 Answers0