跳转至主要内容

Casbin RBAC vs. RBAC96

Casbin RBAC和RBAC96

This document compares Casbin RBAC with RBAC96.

Casbin RBAC implements nearly all RBAC96 features while adding enhancements.

RBAC版本支持级别描述
RBAC0完全支持RBAC0 provides basic RBAC96 functionality, defining relationships between Users, Roles, and Permissions.
RBAC1完全支持RBAC1 extends RBAC0 with role hierarchies. When alice has role1 and role1 has role2, then alice inherits role2 and its permissions.
RBAC2支持互斥处理(像这样RBAC2 adds constraints to RBAC0, enabling mutually exclusive policy handling. Quantitative limits are unsupported.
RBAC3支持互斥处理(像这样RBAC3 combines RBAC1 and RBAC2, supporting both role hierarchies and constraints. Quantitative limits are unsupported.

Casbin RBAC和RBAC96之间的区别

  1. Casbin handles User-Role distinction less strictly than RBAC96.

    Casbin treats both Users and Roles as strings. Consider this policy:

    p, admin, book, read
    p, alice, book, read
    g, amber, admin

    Calling GetAllSubjects() on a Casbin Enforcer:

    e.GetAllSubjects()

    returns:

    [admin alice]

    Casbin includes both Users and Roles as subjects.

    However, calling GetAllRoles():

    e.GetAllRoles()

    returns:

    [admin]

    Casbin distinguishes Users from Roles, but less strictly than RBAC96. Add prefixes like user::alice and role::admin to clarify relationships.

  2. Casbin RBAC offers more flexible permissions than RBAC96.

    RBAC96 defines seven permissions: read, write, append, execute, credit, debit, and inquiry.

    Casbin treats permissions as strings, letting you define permissions matching your requirements.

  3. Casbin RBAC支持域。

    Casbin enables domain-based authorization, providing greater Access Control Model flexibility.