Comments (23)
If the user has Parent View permission, then they must have Grand Parent view permissions to do what you say
from casbin.net.
That is correct, the way our Web/App is setup is that you need View Permissions to Grand Parent to navigate to Parent.
In addition, if user navigates to Grand Children, we would like to know that they have Permission to Parent and then we can trim specific actions based on the role.
from casbin.net.
In Casbin4D there is a method that returns the permissions for a user. For example, you would get permissionsForUser('Grand Children') and you would get all of them.
I am sure @hsluoyz can help you with the Go implementation.
Also, I am not clear with your first question: do you want to find our who the Grant Parent is? If so, I am not sure it is part of the casbin model.
from casbin.net.
We will be using .NET casbin, and I will investigate if permissionForUser is available there or not.
Yes, we would like to know who the Grand Parent is to show that information in View only mode.
from casbin.net.
from casbin.net.
This issue transferred to Casbin.NET. Casbin is only for Golang.
from casbin.net.
@user4517 send a new issue please.
from casbin.net.
@mintyfusion What have you tried so far?
It seems to me you can create a policy like this:
p, user1, ancestor-group, view (or read)
or, you can create a RBAC along these lines:
p, users, ancestors, view (read) g, user1, users
from casbin.net.
I'm trying different approaches and would like to avoid assigning explicit permission to ancestor if possible.
We have 100's of ancestors, having children and they having children of their own. I did come across this article: https://medium.com/silo-blog/designing-a-flexible-permissions-system-with-casbin-f5d97fef17b8 but seems like you have to define permission for every children as well.
from casbin.net.
I'm trying different approaches and would like to avoid assigning explicit permission to ancestor if possible.
... but seems like you have to define permission for every children as well.
Unless every parent can view the grandparent, there is no other way to assign permissions but to mention each user explicitly, be it in groups or at individual level
And this is not only in casbin but in every authorisation system you can come across
We have 100's of ancestors, having children and they having children of their own
When you create them, just make them part of a group automatically.
How do you do it now?
from casbin.net.
We are doing a recursive check right now and probably not optimal. That means, that if Parent accesses grand children directly, we keep on going up until we find the right permission and allow or deny access based on it.
from casbin.net.
Ok I don't know the details of your requirements but as a general note (and hope it is relevant) with frameworks like casbin, there are two steps:
-
You ask the framework if an action is allowed (eg, can a parent read/view the grandparent?)
-
If yes, then you ask your code/application/server to execute the action (eg, retrieve who the grandparent is). If no, your code does something about it (eg. show an error, etc.)
from casbin.net.
That is correct and we are trying to change our code to follow the above model you mentioned.
Right now, we are trying to figure out what's the best strategy to implement for 1000's of users and tons of parent/child relationships.
Just to re-iterate what we have been discussing:
- If access is assigned on Parent, two actions should happen.
a. Add Read/View Permission to it's Parent..
b. Add some sort of Permission to all Children and their children.
We would go with RBAC, and do you recommend any way of creating groups that dictates the above models?
The other issue we face is that lot of content is created at bottom level(children), and how do we constantly assign permissions to it for existing users?
from casbin.net.
When you say you assign access to a Parent, what is this access? Is the user of your app the parent in this instance? Or the user has access to a parent and it means the user can read/view/edit/delete a record that shows a parent?
Obviously, all this have to do with your domain and the business logic and it may be hard to reproduce here.
The model is not that sophisticated. The biggest challenge I see is how you scan through the big number of records to determine the permissions (policies).
In the example, I wrote above
p, users, ancestors, view (read)
g, user1, users
you will have thousands and millions of g, userXXXXXX, users
Now, It looks good idea to use a database table to store the g, XXXXX relationships. Then, you may need to write an adaptor (I am not familiar with the .NET implementation) to run a SQL query. That would be quite fast I believe
from casbin.net.
Thank you for helping us out. I'm going to try to explain what we have in more detail little differently:
We have a hierarchy something like this:
Sites
Jobs
Lists
Task Lists
Tasks
Individual Action on Tasks
Files
We add users either on Sites or Jobs by Role. That means if we add a User to Site, they can see all content under that Site and do all actions based on their Role.
If we add them to a particular Job, they can View/Read the Site (Parent), and can do all the actions on that Job (and it's children) based on their role.
Our API's allow access to Tasks directly by sending the Task Id api/Task/Id. Now, the question arises is that how we check if the user has access to Job or Site, and if they do, then we can allow them to do their role based actions?
from casbin.net.
Our API's allow access to Tasks directly by sending the Task Id api/Task/Id. Now, the question arises is that how we check if the user has access to Job or Site,
I suppose that when a REST query comes in for a specific task id, you pass the UserID, don't you? I also assume that the sender (user) is kinda logged in to your site, right?
So, if you have the UserID you can ask casbin to verify permissions.
and if they do, then we can allow them to do their role based actions?
Have you got difficulties writing the casbin policies? One useful feature in casbin is that you can allow permissions based on URL patterns similarly to this example here https://casbin.org/docs/en/rbac#use-pattern-matching-in-rbac
from casbin.net.
Yes, we do have UserID and where I'm getting confused is that do we need to send JobId to know if user has permissions or we can pass the Task Id to know if user has permission to Job, and hence by relation user has permission to this Task enforced by a specific Role?
from casbin.net.
I think you need to check if the user has permissions for the Task not the Job because you may have users that are not allowed to access all the tasks for a given job
The policies may be like this:
p, site-users, full-access
g, user1 guid, site-users
<-- here your user have full access
`p, job-users, site, view` `p, job-users, tasks, view` `g, user2 guid, job-users` <-- here your user can see the site and the tasks
p, user2 guid, --task1 GUID--, view
p, user2 guid, --task2 GUID--, view
p, user1 guid, --task3 GUID-- view
``
g, /taskID/task1 GUID, task1 GUID
Now, when you receive your REST request with task1 GUID, you check if the permission is allowed:
enforce('task1 GUID', '/task/task GUID', 'view')
I am not sure if this is the correct solution as I wrote it without checking. Perhaps, @hsluoyz can offer some ideas here
from casbin.net.
I think this combined with Pattern Matching would be the right solution. As we can have 1000's of Task Lists and Tasks and don't want to add user to all of them.
Secondly, adding Site "View" Permission is also a little bit tricky. As if user has access to two jobs under the same Site, and removing access to one job, we would have to perform a check if they have access to any other job under same site. If yes, remove View permission stays intact, otherwise remove that permission as well..
from casbin.net.
Secondly, adding Site "View" Permission is also a little bit tricky. As if user has access to two jobs under the same Site, and removing access to one job, we would have to perform a check if they have access to any other job under same site. If yes, remove View permission stays intact, otherwise remove that permission as well.
There must be a function you can call to retrieve all permissions for a user so you can check this easily
from casbin.net.
Do you mean function in Casbin or we should have this in our database?
from casbin.net.
See: https://casbin.org/docs/en/rbac#how-to-query-implicit-roles-or-permissions
from casbin.net.
Great, Thank you very much.
from casbin.net.
Related Issues (20)
- Where can I find ASP.NET 6 examples? HOT 7
- Check collection in ABAC with policy HOT 4
- Updating Policies directly on the IPolicyStore model not reflected in Enforcer HOT 4
- Rules work on Casbin Editor but not on Casbin.Net HOT 6
- Use semantic-release to auto release new versions HOT 2
- Apply politic to objects of different class going to excaption, but in posible in Go version HOT 5
- .NET library does not support multi-line mode with '\' line feeds HOT 1
- Cannot add named groups in Casbin v2 HOT 3
- Cannot get Policy with null value in EF core Adapter. HOT 8
- Enforcer hangs during multi-threaded modifications HOT 11
- bug: fix CI error: error: Response status code does not indicate success: 413 (The total packages size for the pending uploads is too large. The feed owner may have to upgrade the MyGet subscription to resolve this issue.). HOT 2
- How to return a custom type instead of using IQueryable type in IPolicyFilter HOT 3
- System.ArgumentOutOfRangeException during high read/write scenarios HOT 3
- Lacked exist check when add policy HOT 2
- Using RBAC w/ Domain pattern matching can lead to unexpected results HOT 2
- Breaking change in expression parsing between versions 1.5.0 and 2.5.3 HOT 5
- Multiple Request Types with Eval HOT 5
- Support .NET 9.0 target HOT 3
- Eval not supported in non-generic enforces (request of policy size > 12) HOT 4
- TypeInitializationException when trying to reference a version of CsvHelper newer than v30.x HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from casbin.net.