[RBAC w/ Domain] Checking for an object/action permission in any domain.

[ShawnPavel]

I'm attempting to figure out how to discover if a user has the ability to perform a specific action on an object in any of my domains. Here's basically what I'm working with:

config

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act

policies

p, admin, tenant1, data1, read
p, admin, tenant1, data1, write
p, admin, tenant1, data2, read
p, admin, tenant1, data2, write
p, user, tenant1, data1, read
p, user, tenant1, data2, read

p, admin, tenant2, data1, read
p, admin, tenant2, data1, write
p, admin, tenant2, data2, read
p, admin, tenant2, data2, write
p, user, tenant2, data1, read
p, user, tenant2, data2, read

g, alice, admin, tenant1
g, bob, user, tenant2

I want to check if Alice has the write action on data1 for any domain. What is the best way to do this?

I can do an enforce and supply a domain to check if the user has data1 write access, but I can't do it for all domains at once.

I have attempted to add a custom domain matching function using the following code, but the wildCardDomainMatch doesn't seem to ever be called.

initialization

    this._permissionEnforcer = await newEnforcer(this._model, this._adapter);
    const rm = new DefaultRoleManager(10);
    await rm.addDomainMatchingFunc(this.wildCardDomainMatch);
    await this._permissionEnforcer.setRoleManager(rm);
    await this._permissionEnforcer.loadPolicy();

Domain Match Function

private wildCardDomainMatch = (requestDomain: string, policyDomain: string): boolean => {
  if (requestDomain === "*") {
      return true;
  }

  return requestDomain === policyDomain;
};

[hsluoyz]

@nodece @Zxilly @Gabriel-403

[Zxilly]

@hsluoyz Did this util exist in casbin-golang? I wonder what should I named it.

[ShawnPavel]

@Zxilly I didn't see any util in the casbin-golang that met this criteria.

[Zxilly]

Maybe we can add a series of util function, like getImplicitCrossDomainPermissionsForUser(), to achieve this. I didn't find a good solution to implement this in enforce().

[Zxilly]

@ShawnPavel And another option is (g(r.sub, p.sub, r.dom) || r.sub == admin), for this can have a better performance.

[ShawnPavel]

@ShawnPavel And another option is (g(r.sub, p.sub, r.dom) || r.sub == admin), for this can have a better performance.

@Zxilly I'm not sure how that would help in this use case. They users aren't admins that I'm checking.

[ShawnPavel]

Maybe we can add a series of util function, like getImplicitCrossDomainPermissionsForUser(), to achieve this. I didn't find a good solution to implement this in enforce().

How would this work?

[kasvith]

+1 I need this too

[cwkang1998]

Its stated here https://casbin.org/docs/en/rbac-with-domains-api#getrolesforuserindomain that its available for node-casbin, but this is not yet available from what I see right now (Unless I am wrong, if so then please forgive me for being blind).

if this is not already done and is already at somewhere, I am willing to contribute and add this functionality in.

[hsluoyz]

Hi @cwkang1998 I think nobody is working on this now. Contribution is welcome! Please make a PR for it. Can you also join our QQ group? https://casbin.org/en/help

[nodece]

I remember this feature has been supported, see https://casbin.org/docs/en/rbac#use-pattern-matching-in-rbac, I'm not sure whether is correct.

We should add this section doc to casbin website.

[cwkang1998]

I remember this feature has been supported, see https://casbin.org/docs/en/rbac#use-pattern-matching-in-rbac, I'm not sure whether is correct.

We should add this section doc to casbin website.

Its definitely doable with the current Management API, its just that the simplified API in the RBAC with domain API stated is not there yet hahahaha.

[cwkang1998]

Hi @cwkang1998 I think nobody is working on this now. Contribution is welcome! Please make a PR for it. Can you also join our QQ group? https://casbin.org/en/help

Sure!

[Shivansh-yadav13]

do we still plan to add GetUsersForRoleInDomain() & GetRolesForUserInDomain() for node-casbin?
& additional getImplicitCrossDomainPermissionsForUser()?

[cwkang1998]

Thanks for reminding me @Shivansh-yadav13 , I will submit a PR either by tonight or tmr night.

[Shivansh-yadav13]

I think if we just use GetDomains(user) and then just for-loop enforce then we will be able to know if Alice has the write action on data1 for any domain. (get domain needs to be added)

[cwkang1998]

I think if we just use GetDomains(user) and then just for-loop enforce then we will be able to know if Alice has the write action on data1 for any domain. (get domain needs to be added)

You can take a look at my PR and see if it resolves the need for this. if not I think we can add this api in, but I feel like the current implementation can already achieve this.