Skip to main content

Casbin RBAC vs. RBAC96

Casbin RBAC and RBAC96

In this document, we will compare Casbin RBAC with RBAC96.

Casbin RBAC supports nearly all the features of RBAC96 and adds new features on top of that.

RBAC VersionSupport LevelDescription
RBAC0Fully SupportedRBAC0 is the basic version of RBAC96. It clarifies the relationship between Users, Roles, and Permissions.
RBAC1Fully SupportedRBAC1 adds role hierarchies on top of RBAC0. This means that if alice has role1, role1 has role2, then alice will also have role2 and inherit its permissions.
RBAC2Mutually Exclusive Handling Supported (like this)RBAC2 adds constraints on RBAC0. This allows RBAC2 to handle mutually exclusive policies. However, quantitative limits are not supported.
RBAC3Mutually Exclusive Handling Supported (like this)RBAC3 is a combination of RBAC1 and RBAC2. It supports role hierarchies and constraints found in RBAC1 and RBAC2. However, quantitative limits are not supported.

The Difference Between Casbin RBAC and RBAC96

  1. In Casbin, the distinction between User and Role is not as clear as in RBAC96.

    In Casbin, both the User and the Role are treated as strings. For example, consider the following policy file:

    p, admin, book, read
    p, alice, book, read
    g, amber, admin

    If you call the method GetAllSubjects() using an instance of the Casbin Enforcer:

    e.GetAllSubjects()

    the return value will be:

    [admin alice]

    This is because in Casbin, subjects include both Users and Roles.

    However, if you call the method GetAllRoles():

    e.GetAllRoles()

    the return value will be:

    [admin]

    From this, you can see that there is a distinction between Users and Roles in Casbin, but it is not as sharp as in RBAC96. Of course, you can add a prefix to your policies such as user::alice and role::admin to clarify their relationships.

  2. Casbin RBAC provides more permissions than RBAC96.

    RBAC96 defines only 7 permissions: read, write, append, execute, credit, debit, and inquiry.

    However, in Casbin, we treat permissions as strings. This allows you to create permissions that better suit your needs.

  3. Casbin RBAC supports domains.

    In Casbin, you can perform authorizations based on domains. This feature makes your Access Control Model more flexible.