Supported Models
Casbin supports the following access control models and patterns:
- ACL (Access Control List)
- ACL with superuser
- ACL without users — For systems without authentication or user identity (e.g. API-only or device access).
- ACL without resources — When permissions apply to resource types rather than specific instances (e.g. "write-article", "read-log").
- RBAC (Role-Based Access Control)
- RBAC with resource roles — Both users and resources can have roles (or group memberships).
- RBAC with domains/tenants — Users can have different roles in different domains or tenants.
- ABAC (Attribute-Based Access Control) — Uses attributes (e.g.
resource.Owner) in rules. - PBAC (Policy-Based Access Control) — Authorization is driven by rule-based policies for dynamic, context-aware decisions.
- BLP (Bell–LaPadula) — Formal model with security labels and clearances.
- Biba — Integrity model that restricts information flow to prevent unauthorized changes.
- LBAC (Lattice-Based Access Control) — Combines confidentiality and integrity in a lattice-based framework.
- OrBAC (Organisation-Based Access Control) — RBAC extended with abstraction layers for multi-organization policies.
- UCON (Usage Control) — Covers ongoing authorization, mutable attributes, obligations, and conditions.
- RESTful — Path patterns (e.g.
/res/*,/res/:id) and HTTP methods (GET, POST, PUT, DELETE). - IP Match — Match by IP address or CIDR for network-level control.
- Deny-override — Both allow and deny policies; deny overrides allow.
- Priority — Policy rules are ordered (e.g. like firewall rules); first match wins.