Skip to main content

Supported Models

  1. ACL (Access Control List)
  2. ACL with superuser
  3. ACL without users: especially useful for systems that don't have authentication or user log-ins.
  4. ACL without resources: some scenarios may target for a type of resources instead of an individual resource by using permissions like write-article, read-log. It doesn't control the access to a specific article or log.
  5. RBAC (Role-Based Access Control)
  6. RBAC with resource roles: both users and resources can have roles (or groups) at the same time.
  7. RBAC with domains/tenants: users can have different role sets for different domains/tenants.
  8. ABAC (Attribute-Based Access Control): syntax sugar like resource.Owner can be used to get the attribute for a resource.
  9. RESTful: supports paths like /res/*, /res/:id and HTTP methods like GET, POST, PUT, DELETE.
  10. Deny-override: both allow and deny authorizations are supported, deny overrides the allow.
  11. Priority: the policy rules can be prioritized like firewall rules.


ModelModel filePolicy file
ACL with superuserbasic_with_root_model.confbasic_policy.csv
ACL without usersbasic_without_users_model.confbasic_without_users_policy.csv
ACL without resourcesbasic_without_resources_model.confbasic_without_resources_policy.csv
RBAC with resource rolesrbac_with_resource_roles_model.confrbac_with_resource_roles_policy.csv
RBAC with domains/tenantsrbac_with_domains_model.confrbac_with_domains_policy.csv
Explicit Prioritypriority_model_explicitpriority_policy_explicit.csv