Zum Hauptinhalt springen

RBAC with Domains API

Convenience API for RBAC with domains: user–role and permission operations scoped by domain. It is a subset of the Management API. Below, e is an Enforcer instance loaded with a domain-aware model.

Referenz

e, err := NewEnforcer("examples/rbac_with_domains_model.conf", "examples/rbac_with_domains_policy.csv")

GetUsersForRoleInDomain

Returns all users that have the given role in the given domain.

res := e.GetUsersForRoleInDomain("admin", "domain1")

GetRolesForUserInDomain

Returns all roles assigned to the user in the given domain.

res := e.GetRolesForUserInDomain("alice", "domain1")

GetPermissionsForUserInDomain

Returns all permissions (policy rules) for the user or role in the given domain.

res := e.GetPermissionsForUserInDomain("alice", "domain1")

AddRoleForUserInDomain

Assigns the role to the user in the domain. Returns false if the assignment already exists.

ok, err := e.AddRoleForUserInDomain("alice", "admin", "domain1")

DeleteRoleForUserInDomain

Removes the role from the user in the domain. Returns false if the link did not exist.

ok, err := e.DeleteRoleForUserInDomain("alice", "admin", "domain1")

DeleteRolesForUserInDomain

Removes all roles from the user in the domain. Returns false if the user had no roles there.

ok, err := e.DeleteRolesForUserInDomain("alice", "domain1")

GetAllUsersByDomain

Returns all users that have at least one role in the given domain. Empty if the model has no domain.

res := e.GetAllUsersByDomain("domain1")

DeleteAllUsersByDomain

Removes all user–role assignments in the given domain. Returns false if the model has no domain.

ok, err := e.DeleteAllUsersByDomain("domain1")

DeleteDomains

Removes all users and roles for the given domains. With no arguments, clears all domains.

ok, err := e.DeleteDomains("domain1", "domain2")

GetAllDomains

Returns all domains that appear in the policy.

res, _ := e.GetAllDomains()
Vorsicht

Do not use :: in domain names; it is reserved in Casbin’s expression syntax.

GetAllRolesByDomain

Returns all roles that appear in the given domain.

res := e.GetAllRolesByDomain("domain1")
notiz

Does not include roles inherited via hierarchy (implicit roles); only direct assignments in the domain.

GetImplicitUsersForResourceByDomain

Returns the implicit users (and their permissions) for the given resource and domain—i.e. users who have permission on the resource in that domain via their roles.

p, admin, domain1, data1, read
p, admin, domain1, data1, write
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, bob, admin, domain2

Example: with the policy below, GetImplicitUsersForResourceByDomain("data1", "domain1") returns the permissions for users who can access data1 in domain1 (e.g. alice via role admin).

ImplicitUsers, err := e.GetImplicitUsersForResourceByDomain("data1", "domain1")
notiz

Only user-level results are returned; role names (the second element in g rules) are not listed.