RBAC vs. RBAC96
Casbin RBAC and RBAC96
This page compares Casbin’s RBAC with the RBAC96 model. Casbin supports the main RBAC96 ideas and adds domains and flexible permissions.
| RBAC96 | Casbin support | Notes |
|---|---|---|
| RBAC0 | ✅ Full | Users, roles, permissions and their relationships. |
| RBAC1 | ✅ Full | Role hierarchy (e.g. alice→role1→role2). |
| RBAC2 | ⚠️ Partial | Constraint-style handling (e.g. deny-override) via policy effect. No quantitative limits. |
| RBAC3 | ⚠️ Partial | RBAC1 + RBAC2; constraints as above, no quantitative limits. |
Differences from RBAC96
1. User vs. role
Casbin does not separate “user” and “role” in the type system—both are strings. So:
p, admin, book, read
p, alice, book, read
g, amber, admin
GetAllSubjects() returns both users and roles that appear as subjects in policy ([admin alice]). GetAllRoles() returns only the right-hand side of g rules ([admin]). So Casbin infers the distinction from usage; for strict separation use a naming convention (e.g. user::alice, role::admin).
2. Permissions
RBAC96 fixes seven permission types. In Casbin, permissions are arbitrary strings (e.g. read, write, approve), so you can match your app.
3. Domains
Casbin supports RBAC with domains, so roles and permissions can be scoped per tenant or domain—beyond the standard RBAC96 model.