Menu Permissions
This page shows a Spring Boot example that uses jCasbin for menu-based access control. The same pattern (policy + role assignments + menu hierarchy) can be applied in other languages supported by Casbin.
1. Configuration
Define role–menu permissions, user–role assignments, and menu hierarchy in policy.csv. Full example: jCasbin menu permission.
1.1 Обзор
The policy file defines: (1) which roles can access which menu items, (2) which users have which roles, and (3) parent–child relationships between menu items. Together this gives role-based, hierarchical menu visibility.
1.2 Permission rules (p)
Lines starting with p define whether a role (sub) may perform an action (act) on a menu item (obj). The effect (eft) is allow or deny.
Примеры:
p, ROLE_ROOT, SystemMenu, read, allowgrantsROLE_ROOTread access toSystemMenu.p, ROLE_ROOT, UserMenu, read, denydeniesROLE_ROOTread access toUserMenu.
1.3 User–role assignments (g)
Lines starting with g assign users to roles and define role inheritance. Users get the union of permissions from all their roles.
Примеры:
g, user, ROLE_USERassigns the user namedusertoROLE_USER.g, ROLE_ADMIN, ROLE_USERmakesROLE_ADMINinherit all permissions fromROLE_USER.
1.4 Menu hierarchy (g2)
Lines starting with g2 define parent–child menu structure.
Примеры:
g2, UserSubMenu_allow, UserMenumakesUserSubMenu_allowa child ofUserMenu.g2, (NULL), SystemMenumarksSystemMenuas a top-level menu with no parent.
1.5 Menu permission inheritance
- If a parent menu has explicit
allow, its children inheritallowunless a child has explicitdeny. So allowing a parent allows its children. - If a parent has no explicit permission but at least one child has
allow, the parent is treated asallowso users can reach that child.
1.6 Deny and role inheritance
- Explicit deny wins: if a role is explicitly denied a menu, any role that inherits from it is also denied. Deny is not overridden by inheritance.
- Implicit deny (no
allowrule) is overridable: a more privileged role can add an explicitallowfor that menu.
1.7 Example policy
p, ROLE_ROOT, SystemMenu, read, allow
p, ROLE_ROOT, AdminMenu, read, allow
p, ROLE_ROOT, UserMenu, read, deny
p, ROLE_ADMIN, UserMenu, read, allow
p, ROLE_ADMIN, AdminMenu, read, allow
p, ROLE_ADMIN, AdminSubMenu_deny, read, deny
p, ROLE_USER, UserSubMenu_allow, read, allow
g, user, ROLE_USER
g, admin, ROLE_ADMIN
g, root, ROLE_ROOT
g, ROLE_ADMIN, ROLE_USER
g2, UserSubMenu_allow, UserMenu
g2, UserSubMenu_deny, UserMenu
g2, UserSubSubMenu, UserSubMenu_allow
g2, AdminSubMenu_allow, AdminMenu
g2, AdminSubMenu_deny, AdminMenu
g2, (NULL), SystemMenu
| MenuName | ROLE_ROOT | ROLE_ADMIN | ROLE_USER |
|---|---|---|---|
| SystemMenu | ✅ | ❌ | ❌ |
| UserMenu | ❌ | ✅ | ❌ |
| UserSubMenu_allow | ❌ | ✅ | ✅ |
| UserSubSubMenu | ❌ | ✅ | ✅ |
| UserSubMenu_deny | ��❌ | ✅ | ❌ |
| AdminMenu | ✅ | ✅ | ❌ |
| AdminSubMenu_allow | ✅ | ✅ | ❌ |
| AdminSubMenu_deny | ✅ | ❌ | ❌ |
2. Enforcing menu permissions
In the jCasbin menu permission example, MenuService provides findAccessibleMenus() (all menus a user can see) and checkMenuAccess() (check one menu). Both use the jCasbin enforcer under the hood.