Role definition with domains tenants
The RBAC roles in Casbin can be global or domain-specific. Domain-specify roles mean that the roles for a user can be different when the user is at different domains/tenants. This is very useful for large systems like a cloud, as the users are usually in different tenants.
The role definition with domains/tenants should be something like:
g = _, _, _
_ means the name of domain/tenant, this part should not be changed. Then the policy can be:
p, admin, tenant1, data1, read
p, admin, tenant2, data2, read
g, alice, admin, tenant1
g, alice, user, tenant2
admin role in
tenant1 can read
admin role in
tenant1, and has
user role in
tenant2. So she can read
data1. However, since
alice is not an
tenant2, she cannot read
Then in a matcher, you should check the role as below:
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act
Please see the rbac_with_domains_model.conf for examples.
Note: Conventionally domain token name in policy definition is
dom and placed as the second token(
sub, dom, obj, act).
Now Golang Casbin supports customized token name & place. If the domain token name is
dom, the domain token can be placed at an arbitrary place and no extra action needs. If the domain token name is not
constant.DomainIndex should be called after the enforcer is initialized regardless of its position.
# `domain` here for `dom`
p = sub, obj, act, domain
e.SetFieldIndex("p", constant.DomainIndex, 3) // index start from 0
users := e.GetAllUsersByDomain("domain1") // without SetFieldIndex, it will raise an error