How to enforce a hierarchy for parent/child relationships? about casbin.net HOT 23 CLOSED

If the user has Parent View permission, then they must have Grand Parent view permissions to do what you say

from casbin.net.

That is correct, the way our Web/App is setup is that you need View Permissions to Grand Parent to navigate to Parent.

In addition, if user navigates to Grand Children, we would like to know that they have Permission to Parent and then we can trim specific actions based on the role.

from casbin.net.

In Casbin4D there is a method that returns the permissions for a user. For example, you would get permissionsForUser('Grand Children') and you would get all of them.

I am sure @hsluoyz can help you with the Go implementation.

Also, I am not clear with your first question: do you want to find our who the Grant Parent is? If so, I am not sure it is part of the casbin model.

from casbin.net.

We will be using .NET casbin, and I will investigate if permissionForUser is available there or not.

Yes, we would like to know who the Grand Parent is to show that information in View only mode.

from casbin.net.

from casbin.net.

This issue transferred to Casbin.NET. Casbin is only for Golang.

from casbin.net.

@user4517 send a new issue please.

from casbin.net.

@mintyfusion What have you tried so far?
It seems to me you can create a policy like this:

p, user1, ancestor-group, view (or read)

or, you can create a RBAC along these lines:

p, users, ancestors, view (read) g, user1, users

from casbin.net.

I'm trying different approaches and would like to avoid assigning explicit permission to ancestor if possible.

We have 100's of ancestors, having children and they having children of their own. I did come across this article: https://medium.com/silo-blog/designing-a-flexible-permissions-system-with-casbin-f5d97fef17b8 but seems like you have to define permission for every children as well.

from casbin.net.

I'm trying different approaches and would like to avoid assigning explicit permission to ancestor if possible.

... but seems like you have to define permission for every children as well.

Unless every parent can view the grandparent, there is no other way to assign permissions but to mention each user explicitly, be it in groups or at individual level

And this is not only in casbin but in every authorisation system you can come across

We have 100's of ancestors, having children and they having children of their own

When you create them, just make them part of a group automatically.

How do you do it now?

from casbin.net.

We are doing a recursive check right now and probably not optimal. That means, that if Parent accesses grand children directly, we keep on going up until we find the right permission and allow or deny access based on it.

from casbin.net.

Ok I don't know the details of your requirements but as a general note (and hope it is relevant) with frameworks like casbin, there are two steps:

1. You ask the framework if an action is allowed (eg, can a parent read/view the grandparent?)

2. If yes, then you ask your code/application/server to execute the action (eg, retrieve who the grandparent is). If no, your code does something about it (eg. show an error, etc.)

from casbin.net.

That is correct and we are trying to change our code to follow the above model you mentioned.

Right now, we are trying to figure out what's the best strategy to implement for 1000's of users and tons of parent/child relationships.

Just to re-iterate what we have been discussing:

1. If access is assigned on Parent, two actions should happen.
   a. Add Read/View Permission to it's Parent..
   b. Add some sort of Permission to all Children and their children.

We would go with RBAC, and do you recommend any way of creating groups that dictates the above models?

The other issue we face is that lot of content is created at bottom level(children), and how do we constantly assign permissions to it for existing users?

from casbin.net.

When you say you assign access to a Parent, what is this access? Is the user of your app the parent in this instance? Or the user has access to a parent and it means the user can read/view/edit/delete a record that shows a parent?

Obviously, all this have to do with your domain and the business logic and it may be hard to reproduce here.

The model is not that sophisticated. The biggest challenge I see is how you scan through the big number of records to determine the permissions (policies).

In the example, I wrote above
p, users, ancestors, view (read)
g, user1, users

you will have thousands and millions of g, userXXXXXX, users

Now, It looks good idea to use a database table to store the g, XXXXX relationships. Then, you may need to write an adaptor (I am not familiar with the .NET implementation) to run a SQL query. That would be quite fast I believe

from casbin.net.

Thank you for helping us out. I'm going to try to explain what we have in more detail little differently:

We have a hierarchy something like this:

Sites
Jobs
Lists
Task Lists
Tasks
Individual Action on Tasks
Files

We add users either on Sites or Jobs by Role. That means if we add a User to Site, they can see all content under that Site and do all actions based on their Role.

If we add them to a particular Job, they can View/Read the Site (Parent), and can do all the actions on that Job (and it's children) based on their role.

Our API's allow access to Tasks directly by sending the Task Id api/Task/Id. Now, the question arises is that how we check if the user has access to Job or Site, and if they do, then we can allow them to do their role based actions?

from casbin.net.

Our API's allow access to Tasks directly by sending the Task Id api/Task/Id. Now, the question arises is that how we check if the user has access to Job or Site,

I suppose that when a REST query comes in for a specific task id, you pass the UserID, don't you? I also assume that the sender (user) is kinda logged in to your site, right?

So, if you have the UserID you can ask casbin to verify permissions.

and if they do, then we can allow them to do their role based actions?

Have you got difficulties writing the casbin policies? One useful feature in casbin is that you can allow permissions based on URL patterns similarly to this example here https://casbin.org/docs/en/rbac#use-pattern-matching-in-rbac

from casbin.net.

Yes, we do have UserID and where I'm getting confused is that do we need to send JobId to know if user has permissions or we can pass the Task Id to know if user has permission to Job, and hence by relation user has permission to this Task enforced by a specific Role?

from casbin.net.

I think you need to check if the user has permissions for the Task not the Job because you may have users that are not allowed to access all the tasks for a given job

The policies may be like this:

p, site-users, full-access
g, user1 guid, site-users <-- here your user have full access
`p, job-users, site, view` `p, job-users, tasks, view` `g, user2 guid, job-users` <-- here your user can see the site and the tasks
p, user2 guid, --task1 GUID--, view
p, user2 guid, --task2 GUID--, view
p, user1 guid, --task3 GUID-- view
``
g, /taskID/task1 GUID, task1 GUID

Now, when you receive your REST request with task1 GUID, you check if the permission is allowed:
enforce('task1 GUID', '/task/task GUID', 'view')

I am not sure if this is the correct solution as I wrote it without checking. Perhaps, @hsluoyz can offer some ideas here

from casbin.net.

I think this combined with Pattern Matching would be the right solution. As we can have 1000's of Task Lists and Tasks and don't want to add user to all of them.

Secondly, adding Site "View" Permission is also a little bit tricky. As if user has access to two jobs under the same Site, and removing access to one job, we would have to perform a check if they have access to any other job under same site. If yes, remove View permission stays intact, otherwise remove that permission as well..

from casbin.net.

Secondly, adding Site "View" Permission is also a little bit tricky. As if user has access to two jobs under the same Site, and removing access to one job, we would have to perform a check if they have access to any other job under same site. If yes, remove View permission stays intact, otherwise remove that permission as well.

There must be a function you can call to retrieve all permissions for a user so you can check this easily

from casbin.net.

Do you mean function in Casbin or we should have this in our database?

from casbin.net.

See: https://casbin.org/docs/en/rbac#how-to-query-implicit-roles-or-permissions

from casbin.net.

Great, Thank you very much.

from casbin.net.