RBAC API
API ที่เป็นมิตรกับผู้ใช้สำหรับ RBAC มากขึ้น API นี้เป็นส่วนย่อยของ Management API ผู้ใช้ RBAC สามารถใช้ API นี้เพื่อทำให้โค้ดง่ายขึ้น
อ้างอิง
ตัวแปร global e เป็น instance ของ Enforcer
e, err := NewEnforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")
const e = await newEnforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv')
$e = new Enforcer('examples/rbac_model.conf', 'examples/rbac_policy.csv');
e = casbin.Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv")
var e = new Enforcer("path/to/model.conf", "path/to/policy.csv");
let mut e = Enforcer::new("examples/rbac_model.conf", "examples/rbac_policy.csv").await?;
Enforcer e = new Enforcer("examples/rbac_model.conf", "examples/rbac_policy.csv");
GetRolesForUser()
GetRolesForUser ใช้เพื่อดึงบทบาทที่ผู้ใช้มี
ตัวอย่าง:
res := e.GetRolesForUser("alice")
const res = await e.getRolesForUser('alice')
$res = $e->getRolesForUser("alice");
roles = e.get_roles_for_user("alice")
var res = e.GetRolesForUser("alice");
let roles = e.get_roles_for_user("alice", None); // No domain
List<String> res = e.getRolesForUser("alice");
GetUsersForRole()
GetUsersForRole ใช้เพื่อดึงผู้ใช้ที่มีบทบาทนั้นๆ
ตัวอย่าง:
res := e.GetUsersForRole("data1_admin")
const res = await e.getUsersForRole('data1_admin')
$res = $e->getUsersForRole("data1_admin");
users = e.get_users_for_role("data1_admin")
var res = e.GetUsersForRole("data1_admin");
let users = e.get_users_for_role("data1_admin", None); // No domain
List<String> res = e.getUsersForRole("data1_admin");
HasRoleForUser()
HasRoleForUser ใช้เพื่อตรวจสอบว่าผู้ใช้มีบทบาทนั้นหรือไม่
ตัวอย่าง:
res := e.HasRoleForUser("alice", "data1_admin")
const res = await e.hasRoleForUser('alice', 'data1_admin')
$res = $e->hasRoleForUser("alice", "data1_admin");
has = e.has_role_for_user("alice", "data1_admin")
var res = e.HasRoleForUser("alice", "data1_admin");
let has = e.has_role_for_user("alice", "data1_admin", None); // No domain
boolean res = e.hasRoleForUser("alice", "data1_admin");
AddRoleForUser()
AddRoleForUser ใช้เพื่อเพิ่มบทบาทให้กับผู้ใช้ จะคืนค่า false หากผู้ใช้มีบทบาทนั้นอยู่แล้ว (ไม่มีการเปลี่ยนแปลง)
ตัวอย่าง:
e.AddRoleForUser("alice", "data2_admin")
await e.addRoleForUser('alice', 'data2_admin')
$e->addRoleForUser("alice", "data2_admin");
e.add_role_for_user("alice", "data2_admin")
var added = e.AddRoleForUser("alice", "data2_admin");
or
var added = await e.AddRoleForUserAsync("alice", "data2_admin");
let added = e.add_role_for_user("alice", "data2_admin", None).await?; // No domain
boolean added = e.addRoleForUser("alice", "data2_admin");
AddRolesForUser()
AddRolesForUser ใช้เพื่อเพิ่มหลายบทบาทให้กับผู้ใช้ จะคืนค่า false หากผู้ใช้มีบทบาทใดบทบาทหนึ่งอยู่แล้ว (ไม่มีการเปลี่ยนแปลง)
ตัวอย่าง:
var roles = []string{"data2_admin", "data1_admin"}
e.AddRolesForUser("alice", roles)
const roles = ["data1_admin", "data2_admin"];
roles.map((role) => e.addRoleForUser("alice", role));
var roles = new List<string> { "data1_admin", "data2_admin" };
var allAdded = e.AddRolesForUser("alice", roles);
// or async
var allAdded = await e.AddRolesForUserAsync("alice", roles);
let roles = vec!["data1_admin".to_owned(), "data2_admin".to_owned()];
let all_added = e.add_roles_for_user("alice", roles, None).await?; // No domain
DeleteRoleForUser()
DeleteRoleForUser deletes a role for a user. Returns false if the user does not have the role (aka not affected).
For example:
e.DeleteRoleForUser("alice", "data1_admin")
await e.deleteRoleForUser('alice', 'data1_admin')
$e->deleteRoleForUser("alice", "data1_admin");
e.delete_role_for_user("alice", "data1_admin")
var deleted = e.DeleteRoleForUser("alice", "data1_admin");
or
var deleted = await e.DeleteRoleForUser("alice", "data1_admin");
let deleted = e.delete_role_for_user("alice", "data1_admin", None).await?; // No domain
boolean deleted = e.deleteRoleForUser("alice", "data1_admin");
DeleteRolesForUser()
DeleteRolesForUser deletes all roles for a user. Returns false if the user does not have any roles (aka not affected).
For example:
e.DeleteRolesForUser("alice")
await e.deleteRolesForUser('alice')
$e->deleteRolesForUser("alice");
e.delete_roles_for_user("alice")
var deletedAtLeastOne = e.DeleteRolesForUser("alice");
or
var deletedAtLeastOne = await e.DeleteRolesForUserAsync("alice");
let deleted_at_least_one = e.delete_roles_for_user("alice", None).await?; // No domain
boolean deletedAtLeastOne = e.deleteRolesForUser("alice");
DeleteUser()
DeleteUser deletes a user. Returns false if the user does not exist (aka not affected).
For example:
e.DeleteUser("alice")
await e.deleteUser('alice')
$e->deleteUser("alice");
e.delete_user("alice")
var deleted = e.DeleteUser("alice");
or
var deleted = await e.DeleteUserAsync("alice");
let deleted = e.delete_user("alice").await?;
boolean deleted = e.deleteUser("alice");
DeleteRole()
DeleteRole deletes a role.
For example:
e.DeleteRole("data2_admin")
await e.deleteRole("data2_admin")
$e->deleteRole("data2_admin");
e.delete_role("data2_admin")
var deleted = e.DeleteRole("data2_admin");
or
var deleted = await e.DeleteRoleAsync("data2_admin");
let deleted = e.delete_role("data2_admin").await?;
e.deleteRole("data2_admin");
DeletePermission()
DeletePermission deletes a permission. Returns false if the permission does not exist (aka not affected).
For example:
e.DeletePermission("read")
await e.deletePermission('read')
$e->deletePermission("read");
e.delete_permission("read")
var deleted = e.DeletePermission("read");
or
var deleted = await e.DeletePermissionAsync("read");
let deleted = e.delete_permission(vec!["read".to_owned()]).await?;
boolean deleted = e.deletePermission("read");
AddPermissionForUser()
AddPermissionForUser adds a permission for a user or role. Returns false if the user or role already has the permission (aka not affected).
For example:
e.AddPermissionForUser("bob", "read")
await e.addPermissionForUser('bob', 'read')
$e->addPermissionForUser("bob", "read");
e.add_permission_for_user("bob", "read")
var added = e.AddPermissionForUser("bob", "read");
or
var added = await e.AddPermissionForUserAsync("bob", "read");
let added = e.add_permission_for_user("bob", vec!["read".to_owned()]).await?;
boolean added = e.addPermissionForUser("bob", "read");
AddPermissionsForUser()
AddPermissionsForUser adds multiple permissions for a user or role. Returns false if the user or role already has one of the permissions (aka not affected).
For example:
var permissions = [][]string{{"data1", "read"},{"data2","write"}}
for i := 0; i < len(permissions); i++ {
e.AddPermissionsForUser("alice", permissions[i])
}
const permissions = [
["data1", "read"],
["data2", "write"],
];
permissions.map((permission) => e.addPermissionForUser("bob", ...permission));
var permissions = new List<List<string>>
{
new List<string> { "data1", "read" },
new List<string> { "data2", "write" }
};
foreach (var permission in permissions)
{
var added = e.AddPermissionForUser("bob", permission.ToArray());
// or async
var added = await e.AddPermissionForUserAsync("bob", permission.ToArray());
}
let permissions = vec![
vec!["data1".to_owned(), "read".to_owned()],
vec!["data2".to_owned(), "write".to_owned()],
];
let all_added = e.add_permissions_for_user("bob", permissions).await?;
DeletePermissionForUser()
DeletePermissionForUser deletes a permission for a user or role. Returns false if the user or role does not have the permission (aka not affected).
For example:
e.DeletePermissionForUser("bob", "read")
await e.deletePermissionForUser("bob", "read")
$e->deletePermissionForUser("bob", "read");
e.delete_permission_for_user("bob", "read")
var deleted = e.DeletePermissionForUser("bob", "read");
or
var deleted = await e.DeletePermissionForUserAsync("bob", "read");
let deleted = e.delete_permission_for_user("bob", vec!["read".to_owned()]).await?;
boolean deleted = e.deletePermissionForUser("bob", "read");
DeletePermissionsForUser()
DeletePermissionsForUser deletes permissions for a user or role. Returns false if the user or role does not have any permissions (aka not affected).
For example:
e.DeletePermissionsForUser("bob")
await e.deletePermissionsForUser('bob')
$e->deletePermissionsForUser("bob");
e.delete_permissions_for_user("bob")
var deletedAtLeastOne = e.DeletePermissionsForUser("bob");
or
var deletedAtLeastOne = await e.DeletePermissionsForUserAsync("bob");
let deleted_at_least_one = e.delete_permissions_for_user("bob").await?;
boolean deletedAtLeastOne = e.deletePermissionForUser("bob");
GetPermissionsForUser()
GetPermissionsForUser gets permissions for a user or role.
For example:
e.GetPermissionsForUser("bob")
await e.getPermissionsForUser('bob')
$e->getPermissionsForUser("bob");
e.get_permissions_for_user("bob")
var permissions = e.GetPermissionsForUser("bob");
List<List<String>> permissions = e.getPermissionsForUser("bob");
GetNamedPermissionsForUser()
GetNamedPermissionsForUser gets permissions for a user or role by named policy.
For example:
p, alice, data1, read
p, bob, data2, write
p2, admin, create
g, alice, admin
GetNamedPermissionsForUser("p", "alice") will return [["alice", "data1", "read"]].
GetNamedPermissionsForUser("p2", "alice") will return [["admin", "create"]].
permissions, err := e.GetNamedPermissionsForUser("p", "alice")
var permissions = e.GetNamedPermissionsForUser("p", "alice");
permissions = e.get_named_permissions_for_user("p", "alice")
HasPermissionForUser()
HasPermissionForUser determines whether a user has a permission.
For example:
e.HasPermissionForUser("alice", []string{"read"})
await e.hasPermissionForUser('alice', 'read')
$e->hasPermissionForUser("alice", []string{"read"});
has = e.has_permission_for_user("alice", "read")
var has = e.HasPermissionForUser("bob", "read");
let has = e.has_permission_for_user("alice", vec!["data1".to_owned(), "read".to_owned()]);
boolean has = e.hasPermissionForUser("alice", "read");
GetImplicitRolesForUser()
GetImplicitRolesForUser gets implicit roles that a user has. Compared to GetRolesForUser(), this function retrieves indirect roles besides direct roles.
For example:
g, alice, role:admin
g, role:admin, role:user
GetRolesForUser("alice") can only get: ["role:admin"].
But GetImplicitRolesForUser("alice") will get: ["role:admin", "role:user"].
For example:
e.GetImplicitRolesForUser("alice")
await e.getImplicitRolesForUser("alice")
$e->getImplicitRolesForUser("alice");
e.get_implicit_roles_for_user("alice")
var implicitRoles = e.GetImplicitRolesForUser("alice");
e.get_implicit_roles_for_user("alice", None); // No domain
List<String> implicitRoles = e.getImplicitRolesForUser("alice");
GetNamedImplicitRolesForUser()
GetNamedImplicitRolesForUser gets implicit roles that a user has by named policy.
For example:
g, alice, admin
g, admin, super_admin
g2, alice, user
g2, user, guest
GetNamedImplicitRolesForUser("g", "alice") will return ["admin", "super_admin"].
GetNamedImplicitRolesForUser("g2", "alice") will return ["user", "guest"].
roles, err := e.GetNamedImplicitRolesForUser("g", "alice")
var roles = e.GetNamedImplicitRolesForUser("g", "alice");
roles = e.get_named_implicit_roles_for_user("g", "alice")
GetImplicitUsersForRole()
GetImplicitUsersForRole gets all users inheriting the role. Compared to GetUsersForRole(), this function retrieves indirect users.
For example:
g, alice, role:admin
g, role:admin, role:user
GetUsersForRole("role:user") can only get: ["role:admin"].
But GetImplicitUesrsForRole("role:user") will get: ["role:admin", "alice"].
For example:
users := e.GetImplicitUsersForRole("role:user")
const users = e.getImplicitUsersForRole("role:user");
List<String> users = e.getImplicitUsersForRole("role:user");
GetImplicitPermissionsForUser()
GetImplicitPermissionsForUser gets implicit permissions for a user or role.
Compared to GetPermissionsForUser(), this function retrieves permissions for inherited roles.
For example:
p, admin, data1, read
p, alice, data2, read
g, alice, admin
GetPermissionsForUser("alice") can only get: [["alice", "data2", "read"]].
But GetImplicitPermissionsForUser("alice") will get: [["admin", "data1", "read"], ["alice", "data2", "read"]].
For example:
e.GetImplicitPermissionsForUser("alice")
await e.getImplicitPermissionsForUser("alice")
$e->getImplicitPermissionsForUser("alice");
e.get_implicit_permissions_for_user("alice")
var implicitPermissions = e.GetImplicitPermissionsForUser("alice");
e.get_implicit_permissions_for_user("alice", None); // No domain
List<List<String>> implicitPermissions = e.getImplicitPermissionsForUser("alice");
GetNamedImplicitPermissionsForUser()
GetNamedImplicitPermissionsForUser gets implicit permissions for a user or role by named policy Compared to GetImplicitPermissionsForUser(), this function allow you to specify the policy name.
For example:
p, admin, data1, read
p2, admin, create
g, alice, admin
GetImplicitPermissionsForUser("alice") only get: [["admin", "data1", "read"]], whose policy is default "p"
But you can specify the policy as "p2" to get: [["admin", "create"]] by GetNamedImplicitPermissionsForUser("p2","alice")
For example:
e.GetNamedImplicitPermissionsForUser("p2","alice")
var permissions = e.GetNamedImplicitPermissionsForUser("p2", "alice");
e.get_named_implicit_permissions_for_user("p2", "alice")
GetDomainsForUser()
GetDomainsForUser gets all domains which a user has.
For example:
p, admin, domain1, data1, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write
g, alice, admin, domain1
g, alice, admin, domain2
GetDomainsForUser("alice") could get ["domain1", "domain2"]
For example:
result, err := e.GetDomainsForUser("alice")
var result = e.GetDomainsForUser("alice");
GetImplicitResourcesForUser()
GetImplicitResourcesForUser returns all policies that should be true for user.
For example:
p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin
GetImplicitResourcesForUser("alice") will return
[[alice data1 read] [alice data2 read] [alice data2 write]]
resources, err := e.GetImplicitResourcesForUser("alice")
var resources = e.GetImplicitResourcesForUser("alice");
GetImplicitUsersForPermission()
GetImplicitUsersForPermission gets implicit users for a permission.
For example:
p, admin, data1, read
p, bob, data1, read
g, alice, admin
GetImplicitUsersForPermission("data1", "read") will return: ["alice", "bob"].
Note: only users will be returned, roles (2nd arg in "g") will be excluded.
users, err := e.GetImplicitUsersForPermission("data1", "read")
var users = e.GetImplicitUsersForPermission("data1", "read");
GetImplicitObjectPatternsForUser()
GetImplicitObjectPatternsForUser returns all object patterns (with wildcards) that a user has for a given domain and action.
For example:
p, admin, chronicle/123, location/*, read
p, user, chronicle/456, location/789, read
g, alice, admin
g, bob, user
GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read") will return ["location/*"].
GetImplicitObjectPatternsForUser("bob", "chronicle/456", "read") will return ["location/789"].
patterns, err := e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read")
const patterns = await e.getImplicitObjectPatternsForUser("alice", "chronicle/123", "read")
$patterns = $e->getImplicitObjectPatternsForUser("alice", "chronicle/123", "read");
patterns = e.get_implicit_object_patterns_for_user("alice", "chronicle/123", "read")
var patterns = e.GetImplicitObjectPatternsForUser("alice", "chronicle/123", "read");
let patterns = e.get_implicit_object_patterns_for_user("alice", "chronicle/123", "read").await?;
List<String> patterns = e.getImplicitObjectPatternsForUser("alice", "chronicle/123", "read");
GetAllowedObjectConditions()
GetAllowedObjectConditions returns a string array of object conditions that the user can access.
For example:
p, alice, r.obj.price < 25, read
p, admin, r.obj.category_id = 2, read
p, bob, r.obj.author = bob, write
g, alice, admin
e.GetAllowedObjectConditions("alice", "read", "r.obj.") will return ["price < 25", "category_id = 2"], nil
Note:
-
prefix: You can customize the prefix of the object conditions, and "r.obj." is commonly used as a prefix. After removing the prefix, the remaining part is the condition of the object. If there is an obj policy that does not meet the prefix requirement, an
errors.ERR_OBJ_CONDITIONwill be returned. -
If the 'objectConditions' array is empty, return
errors.ERR_EMPTY_CONDITIONThis error is returned because some data adapters' ORM return full table data by default when they receive an empty condition, which tends to behave contrary to expectations.(e.g. GORM) If you are using an adapter that does not behave like this, you can choose to ignore this error.
conditions, err := e.GetAllowedObjectConditions("alice", "read", "r.obj.")
var conditions = e.GetAllowedObjectConditions("alice", "read", "r.obj.");
GetImplicitUsersForResource()
GetImplicitUsersForResource return implicit user based on resource.
For example:
p, alice, data1, read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin
GetImplicitUsersForResource("data2") will return [["bob", "data2", "write"], ["alice", "data2", "read"] ["alice", "data2", "write"]], nil.
GetImplicitUsersForResource("data1") will return [["alice", "data1", "read"]], nil.
ImplicitUsers, err := e.GetImplicitUsersForResource("data2")
var implicitUsers = e.GetImplicitUsersForResource("data2");
Only users will be returned, roles (2nd arg in "g") will be excluded.
GetNamedImplicitUsersForResource()��
GetNamedImplicitUsersForResource return implicit user based on resource with named policy support. This function handles resource role relationships through named policies (e.g., g2, g3, etc.).
For example:
p, admin_group, admin_data, *
g, admin, admin_group
g2, app, admin_data
GetNamedImplicitUsersForResource("g2", "app") will return users who have access to admin_data through g2 relationship.
ImplicitUsers, err := e.GetNamedImplicitUsersForResource("g2", "app")
var implicitUsers = e.GetNamedImplicitUsersForResource("g2", "app");