Skip to main content

RBAC with Domains

Role definition with domains tenants

The RBAC roles in Casbin can be global or domain-specific. Domain-specify roles mean that the roles for a user can be different when the user is at different domains/tenants. This is very useful for large systems like a cloud, as the users are usually in different tenants.

The role definition with domains/tenants should be something like:

g = _, _, _

The 3rd _ means the name of domain/tenant, this part should not be changed. Then the policy can be:

p, admin, tenant1, data1, read
p, admin, tenant2, data2, read

g, alice, admin, tenant1
g, alice, user, tenant2

It means admin role in tenant1 can read data1. And alice has admin role in tenant1, and has user role in tenant2. So she can read data1. However, since alice is not an admin in tenant2, she cannot read data2.

Then in a matcher, you should check the role as below:

m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

Please see the rbac_with_domains_model.conf for examples.

Token name convention

Note: Conventionally domain token name in policy definition is dom and placed as the second token(sub, dom, obj, act). Now Golang Casbin supports customized token name & place. If the domain token name is dom, the domain token can be placed at an arbitrary place and no extra action needs. If the domain token name is not dom , e.SetFieldIndex() for constant.DomainIndex should be called after the enforcer is initialized regardless of its position.

# `domain` here for `dom`
p = sub, obj, act, domain
e.SetFieldIndex("p", constant.DomainIndex, 3) // index start from 0
users := e.GetAllUsersByDomain("domain1") // without SetFieldIndex, it will raise an error