英文:
How can I link a collection of users to policy rules of a single resource using Casbin RBAC?
问题
无法为将用户集合链接到单个资源的策略规则创建适当的RBAC模型。
[request_definition]
r = resource_id, module, action
[policy_definition]
p = priority, resource_id, module, action, eft
[role_definition]
g = _, _
[policy_effect]
e = priority(p.eft) || deny
[matchers]
m = p.resource_id == r.resource_id && ((g(p.module, r.module) || ((p.module == r.module) && (p.eft == 'allow'))) && p.action == r.action || p.module == 'admin')
上面的模型允许我为个人创建细粒度的策略规则。例如:Jason可以查看、创建和编辑用户,但不能删除用户。这可以描述为:
p, 1, jason, users, view, allow
p, 1, jason, users, create, allow
p, 1, jason, users, edit, allow
p, 1, jason, users, delete, deny
我需要的是一种将用户集合链接到资源的方法。让我解释一下:假设您的系统中有一个包含10个用户的组。意图是能够为该组分配权限,并将这些权限链接到所有10个成员。为什么这样做?如果您只需更新单个资源的策略规则而不是10个资源,那么需要管理的数据就会减少。
以下是我认为在组/策略规则方面的示例:
g, group1, ken
g, group1, roman
g, group1, shiv
p, 1, group1, users, view, allow
p, 1, group1, users, create, allow
p, 1, group1, users, edit, allow
p, 1, group1, users, delete, allow
有了上述信息,ken尝试“查看”用户模块将解析为true。
我尚未能够找出这种用例所需的匹配器。任何帮助将不胜感激。
英文:
Unable to come up with appropriate RBAC model for linking collection of users to policy rules of a single resource.
[request_definition]
r = resource_id, module, action
[policy_definition]
p = priority, resource_id, module, action, eft
[role_definition]
g = _, _
[policy_effect]
e = priority(p.eft) || deny
[matchers]
m = p.resource_id == r.resource_id && ((g(p.module, r.module) || ((p.module == r.module) && (p.eft == 'allow'))) && p.action == r.action || p.module == 'admin')
The model above allows me to create granular policy rules for individuals. For example: Jason can view, create and edit users but they can't delete users. This would be described as:
p, 1, jason, users, view, allow
p, 1, jason, users, create, allow
p, 1, jason, users, edit, allow
p, 1, jason, users, delete, deny
What I need is a way to link a collection of users to a resource. Let me explain: let's say you have a group in your system that houses 10 users. The intent is to be able to assign permissions to that group and have those permissions be linked to all 10 members. Why? Less data to manage if you just have to update the policy rules of a single resource instead of 10.
Here's what I think it would look like in terms of group/policy rules:
g, group1, ken
g, group1, roman
g, group1, shiv
p, 1, group1, users, view, allow
p, 1, group1, users, create, allow
p, 1, group1, users, edit, allow
p, 1, group1, users, delete, allow
With the above in mind, ken trying to 'view' users module would resolve as true.
I have not been able to figure out the matcher I need for this use-case. Any help would be appreciated.
答案1
得分: 0
我成功找到了符合我的要求的模型。以下是它:
[request_definition]
r = 用户, 模块, 动作
[policy_definition]
p = 优先级, 用户, 模块, 动作, eft, 是否异常
[role_definition]
g = _, _
[policy_effect]
e = 优先级(p.eft) || 拒绝
[matchers]
m = (r.用户 == p.用户 || g(p.用户, r.用户)) && (r.模块 == p.模块 || g(p.模块, r.模块)) && r.动作 == p.动作
希望这对您有所帮助!
英文:
I managed to figure out the model I needed to meet my requirements. Here it is:
[request_definition]
r = user, module, action
[policy_definition]
p = priority, user, module, action, eft, is_exception
[role_definition]
g = _, _
[policy_effect]
e = priority(p.eft) || deny
[matchers]
m = (r.user == p.user || g(p.user, r.user)) && (r.module == p.module || g(p.module, r.module)) && r.action == p.action
I hope this is helpful!
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论