RBAC API

Uma API mais amigável para RBAC. Esta API é um subconjunto da API de Gerenciamento. Os usuários RBAC poderiam usar esta API para simplificar o código.

Referência

a variável global e é uma instância de Enforcer.

Go

e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

Node.js

const e = await newEnforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv')

PHP

$e = new Enforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv');

Python

e = casbin.Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")

.NET

var e = new Enforcer("path/to/model.conf", "path/to/policy.csv");

Rust

let mut e = Enforcer::new("examples/rbac_model.conf", "examples/rbac_policy.csv").await?;

Java

Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv");

GetRolesForUser()

GetRolesForUser obtém os papéis que um usuário possui.

Por exemplo:

Go

res := e.GetRolesForUser("alice")

Node.js

const res = await e.getRolesForUser('alice')

PHP

$res = $e->getRolesForUser("alice");

Python

roles = e.get_roles_for_user("alice")

.NET

var res = e.GetRolesForUser("alice");

Rust

let roles = e.get_roles_for_user("alice", None); // No domain

Java

List<String> res = e.getRolesForUser("alice");

GetUsersForRole()

GetUsersForRole obtém os usuários que possuem um papel.

Por exemplo:

Go

res := e.GetUsersForRole("data1_admin")

Node.js

const res = await e.getUsersForRole('data1_admin')

PHP

$res = $e->getUsersForRole("data1_admin");

Python

users = e.get_users_for_role("data1_admin")

.NET

var res = e.GetUsersForRole("data1_admin");

Rust

let users = e.get_users_for_role("data1_admin", None); // No domain

Java

List<String> res = e.getUsersForRole("data1_admin");

HasRoleForUser()

HasRoleForUser determina se um usuário possui um papel.

Por exemplo:

Go

res := e.HasRoleForUser("alice", "data1_admin")

Node.js

const res = await e.hasRoleForUser('alice', 'data1_admin')

PHP

$res = $e->hasRoleForUser("alice", "data1_admin");

Python

has = e.has_role_for_user("alice", "data1_admin")

.NET

var res = e.HasRoleForUser("alice", "data1_admin");

Rust

let has = e.has_role_for_user("alice", "data1_admin", None); // No domain

Java

boolean res = e.hasRoleForUser("alice", "data1_admin");

AddRoleForUser()

AddRoleForUser adiciona um papel para um usuário. Retorna falso se o usuário já possui o papel (ou seja, não afetado).

Por exemplo:

Go

e.AddRoleForUser("alice", "data2_admin")

Node.js

await e.addRoleForUser('alice', 'data2_admin')

PHP

$e->addRoleForUser("alice", "data2_admin");

Python

e.add_role_for_user("alice", "data2_admin")

.NET

var added = e.AddRoleForUser("alice", "data2_admin");
or
var added = await e.AddRoleForUserAsync("alice", "data2_admin");

Rust

let added = e.add_role_for_user("alice", "data2_admin", None).await?; // No domain

Java

boolean added = e.addRoleForUser("alice", "data2_admin");

AddRolesForUser()

AddRolesForUser adiciona múltiplos papéis para um usuário. Retorna falso se o usuário já possui um desses papéis (ou seja, não afetado).

Por exemplo:

Go

var roles = []string{"data2_admin", "data1_admin"}
e.AddRolesForUser("alice", roles)

Node.js

const roles = ["data1_admin", "data2_admin"];
roles.map((role) => e.addRoleForUser("alice", role));

Rust

let roles = vec!["data1_admin".to_owned(), "data2_admin".to_owned()];
let all_added = e.add_roles_for_user("alice", roles, None).await?; // No domain

DeleteRoleForUser()

DeleteRoleForUser deleta um papel de um usuário. Retorna falso se o usuário não possui o papel (ou seja, não afetado).

Por exemplo:

Go

e.DeleteRoleForUser("alice", "data1_admin")

Node.js

await e.deleteRoleForUser('alice', 'data1_admin')

PHP

$e->deleteRoleForUser("alice", "data1_admin");

Python

e.delete_role_for_user("alice", "data1_admin")

.NET

var deleted = e.DeleteRoleForUser("alice", "data1_admin");
or
var deleted = await e.DeleteRoleForUser("alice", "data1_admin");

Rust

let deleted = e.delete_role_for_user("alice", "data1_admin", None).await?; // No domain

Java

boolean deleted = e.deleteRoleForUser("alice", "data1_admin");

DeleteRolesForUser()

DeleteRolesForUser deleta todos os papéis de um usuário. Retorna falso se o usuário não possui nenhum papel (ou seja, não afetado).

Por exemplo:

Go

e.DeleteRolesForUser("alice")

Node.js

await e.deleteRolesForUser('alice')

PHP

$e->deleteRolesForUser("alice");

Python

e.delete_roles_for_user("alice")

.NET

var deletedAtLeastOne = e.DeleteRolesForUser("alice");
or
var deletedAtLeastOne = await e.DeleteRolesForUserAsync("alice");

Rust

let deleted_at_least_one = e.delete_roles_for_user("alice", None).await?; // No domain

Java

boolean deletedAtLeastOne = e.deleteRolesForUser("alice");

DeleteUser()

DeleteUser deleta um usuário. Retorna falso se o usuário não existe (ou seja, não afetado).

Por exemplo:

Go

e.DeleteUser("alice")

Node.js

await e.deleteUser('alice')

PHP

$e->deleteUser("alice");

Python

e.delete_user("alice")

.NET

var deleted = e.DeleteUser("alice");
or
var deleted = await e.DeleteUserAsync("alice");

Rust

let deleted = e.delete_user("alice").await?;

Java

boolean deleted = e.deleteUser("alice");

DeleteRole()

DeleteRole deleta um papel.

Por exemplo:

Go

e.DeleteRole("data2_admin")

Node.js

await e.deleteRole("data2_admin")

PHP

$e->deleteRole("data2_admin");

Python

e.delete_role("data2_admin")

.NET

var deleted = e.DeleteRole("data2_admin");
or
var deleted = await e.DeleteRoleAsync("data2_admin");

Rust

let deleted = e.delete_role("data2_admin").await?;

Java

e.deleteRole("data2_admin");

DeletePermission()

DeletePermission deleta uma permissão. Retorna falso se a permissão não existe (ou seja, não afetado).

Por exemplo:

Go

e.DeletePermission("read")

Node.js

await e.deletePermission('read')

PHP

$e->deletePermission("read");

Python

e.delete_permission("read")

.NET

var deleted = e.DeletePermission("read");
or
var deleted = await e.DeletePermissionAsync("read");

Rust

let deleted = e.delete_permission(vec!["read".to_owned()]).await?;

Java

boolean deleted = e.deletePermission("read");

AddPermissionForUser()

AddPermissionForUser adiciona uma permissão para um usuário ou papel. Retorna falso se o usuário ou papel já possui a permissão (ou seja, não afetado).

Por exemplo:

Go

e.AddPermissionForUser("bob", "read")

Node.js

await e.addPermissionForUser('bob', 'read')

PHP

$e->addPermissionForUser("bob", "read");

Python

e.add_permission_for_user("bob", "read")

.NET

var added = e.AddPermissionForUser("bob", "read");
or
var added = await e.AddPermissionForUserAsync("bob", "read");

Rust

let added = e.add_permission_for_user("bob", vec!["read".to_owned()]).await?;

Java

boolean added = e.addPermissionForUser("bob", "read");

AddPermissionsForUser()

AddPermissionsForUser adiciona múltiplas permissões para um usuário ou papel. Retorna falso se o usuário ou papel já possui uma das permissões (ou seja, não afetado).

Por exemplo:

Go

var permissions = [][]string{{"data1", "read"},{"data2","write"}}
for i := 0; i < len(permissions); i++ {
    e.AddPermissionsForUser("alice", permissions[i])
}

Node.js

const permissions = [
    ["data1", "read"],
    ["data2", "write"],
];

permissions.map((permission) => e.addPermissionForUser("bob", ...permission));

Rust

let permissions = vec![
    vec!["data1".to_owned(), "read".to_owned()],
    vec!["data2".to_owned(), "write".to_owned()],
];

let all_added = e.add_permissions_for_user("bob", permissions).await?;

DeletePermissionForUser()

DeletePermissionForUser deleta uma permissão de um usuário ou papel. Retorna falso se o usuário ou papel não possui a permissão (ou seja, não afetado).

Por exemplo:

Go

e.DeletePermissionForUser("bob", "read")

Node.js

await e.deletePermissionForUser("bob", "read")

PHP

$e->deletePermissionForUser("bob", "read");

Python

e.delete_permission_for_user("bob", "read")

.NET

var deleted = e.DeletePermissionForUser("bob", "read");
or
var deleted = await e.DeletePermissionForUserAsync("bob", "read");

Rust

let deleted = e.delete_permission_for_user("bob", vec!["read".to_owned()]).await?;

Java

boolean deleted = e.deletePermissionForUser("bob", "read");

DeletePermissionsForUser()

DeletePermissionsForUser deleta permissões de um usuário ou papel. Retorna falso se o usuário ou papel não possui nenhuma permissão (ou seja, não afetado).

Por exemplo:

Go

e.DeletePermissionsForUser("bob")

Node.js

await e.deletePermissionsForUser('bob')

PHP

$e->deletePermissionsForUser("bob");

Python

e.delete_permissions_for_user("bob")

.NET

var deletedAtLeastOne = e.DeletePermissionsForUser("bob");
or
var deletedAtLeastOne = await e.DeletePermissionsForUserAsync("bob");

Rust

let deleted_at_least_one = e.delete_permissions_for_user("bob").await?;

Java

boolean deletedAtLeastOne = e.deletePermissionForUser("bob");

GetPermissionsForUser()

GetPermissionsForUser obtém permissões para um usuário ou papel.

Por exemplo:

Go

e.GetPermissionsForUser("bob")

Node.js

await e.getPermissionsForUser('bob')

PHP

$e->getPermissionsForUser("bob");

Python

e.get_permissions_for_user("bob")

.NET

var permissions = e.GetPermissionsForUser("bob");

Java

List<List<String>> permissions = e.getPermissionsForUser("bob");

HasPermissionForUser()

HasPermissionForUser determina se um usuário possui uma permissão.

Por exemplo:

Go

e.HasPermissionForUser("alice", []string{"read"})

Node.js

await e.hasPermissionForUser('alice', 'read')

PHP

$e->hasPermissionForUser("alice", []string{"read"});

Python

has = e.has_permission_for_user("alice", "read")

.NET

var has = e.HasPermissionForUser("bob", "read");

Rust

let has = e.has_permission_for_user("alice", vec!["data1".to_owned(), "read".to_owned()]);

Java

boolean has = e.hasPermissionForUser("alice", "read");

GetImplicitRolesForUser()

GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.

For example:

g, alice, role:admin  
g, role:admin, role:user  

GetRolesForUser("alice") can only get: ["role:admin"].\ But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].

For example:

Go

e.GetImplicitRolesForUser("alice")

Node.js

await e.getImplicitRolesForUser("alice")

PHP

$e->getImplicitRolesForUser("alice");

Python

e.get_implicit_roles_for_user("alice")

.NET

var implicitRoles = e.GetImplicitRolesForUser("alice");

Rust

e.get_implicit_roles_for_user("alice", None); // No domain

Java

List<String> implicitRoles = e.getImplicitRolesForUser("alice");

GetImplicitUsersForRole()

GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.

For example:

g, alice, role:admin  
g, role:admin, role:user  

GetUsersForRole("role:user") can only get: ["role:admin"].\ But GetImplicitUesrsForRole("role:user") will get: ["role:admin", "alice"].

For example:

Go

users := e.GetImplicitUsersForRole("role:user")

Node.js

const users = e.getImplicitUsersForRole("role:user");

Java

List<String> users = e.getImplicitUsersForRole("role:user");

GetImplicitPermissionsForUser()

GetImplicitPermissionsForUser gets implicit permissions for a user or role.\ Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.

For example:

p, admin, data1, read  
p, alice, data2, read  
g, alice, admin 

GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].\ But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].

For example:

Go

e.GetImplicitPermissionsForUser("alice")

Node.js

await e.getImplicitPermissionsForUser("alice")

PHP

$e->getImplicitPermissionsForUser("alice");

Python

e.get_implicit_permissions_for_user("alice")

.NET

var implicitPermissions = e.GetImplicitPermissionsForUser("alice");

Rust

e.get_implicit_permissions_for_user("alice", None); // No domain

Java

List<List<String>> implicitPermissions = e.getImplicitPermissionsForUser("alice");

GetNamedImplicitPermissionsForUser()

GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy Compared to GetImplicitPermissionsForUser(), this function allow you to specify the policy name.

For example:

p, admin, data1, read
p2, admin, create
g, alice, admin

GetImplicitPermissionsForUser("alice") only get: [["admin", "data1", "read"]], whose policy is default "p"

But you can specify the policy as "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice")

For example:

Go

e.GetNamedImplicitPermissionsForUser("p2","alice")

Python

e.get_named_implicit_permissions_for_user("p2", "alice")

GetDomainsForUser()

GetDomainsForUser gets all domains which a user has.

For example:

p, admin, domain1, data1, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, alice, admin, domain2

GetDomainsForUser("alice") could get ["domain1", "domain2"]

For example:

Go

result, err := e.GetDomainsForUser("alice")

GetImplicitResourcesForUser()

GetImplicitResourcesForUser returns all policies that should be true for user.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write

g, alice, data2_admin

GetImplicitResourcesForUser("alice") will return [[alice data1 read] [alice data2 read] [alice data2 write]]

Go

resources, err := e.GetImplicitResourcesForUser("alice")

GetImplicitUsersForPermission()

GetImplicitUsersForPermission gets implicit users for a permission.

For example:

p, admin, data1, read
p, bob, data1, read
g, alice, admin

GetImplicitUsersForPermission("data1", "read") will return: ["alice", "bob"].

Note: only users will be returned, roles (2nd arg in "g") will be excluded.

Go

users, err := e.GetImplicitUsersForPermission("data1", "read")

GetAllowedObjectConditions()

GetAllowedObjectConditions returns a string array of object conditions that the user can access.

For example:

p, alice, r.obj.price < 25, read
p, admin, r.obj.category_id = 2, read
p, bob, r.obj.author = bob, write

g, alice, admin

e.GetAllowedObjectConditions("alice", "read", "r.obj.") will return ["price < 25", "category_id = 2"], nil

Note:

0. prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix. After removing the prefix, the remaining part is the condition of the object. If there is an obj policy that does not meet the prefix requirement, an errors.ERR_OBJ_CONDITION will be returned.

1. If the 'objectConditions' array is empty, return errors.ERR_EMPTY_CONDITION This error is returned because some data adapters' ORM return full table data by default when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM) If you are using an adapter that does not behave like this, you can choose to ignore this error.

Go

conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")

GetImplicitUsersForResource()

GetImplicitUsersForResource return implicit user based on resource.

For example:

p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin

GetImplicitUsersForResource("data2") will return [["bob", "data2", "write"], ["alice", "data2", "read"] ["alice", "data2", "write"]], nil.

GetImplicitUsersForResource("data1") will return [["alice", "data1", "read"]], nil.

Go

ImplicitUsers, err := e.GetImplicitUsersForResource("data2")

nota

Only users will be returned, roles (2nd arg in "g") will be excluded.