跳转至主要内容

Casbin RBAC和RBAC96

Casbin RBAC和RBAC96

In this document, we will compare Casbin RBAC with RBAC96.

Casbin RBAC supports nearly all the features of RBAC96 and adds new features on top of that.

RBAC Version支持级别说明
RBAC0Fully SupportedRBAC0是RBAC96的基本版本。 It clarifies the relationship between Users, Roles, and Permissions.
RBAC1Fully SupportedRBAC1 adds role hierarchies on top of RBAC0. This means that if alice has role1, role1 has role2, then alice will also have role2 and inherit its permissions.
RBAC2Mutually Exclusive Handling Supported (like this)RBAC2 adds constraints on RBAC0. This allows RBAC2 to handle mutually exclusive policies. However, quantitative limits are not supported.
RBAC3Mutually Exclusive Handling Supported (like this)RBAC3是RBAC1和RBAC2的组合。 It supports role hierarchies and constraints found in RBAC1 and RBAC2. However, quantitative limits are not supported.

The Difference Between Casbin RBAC and RBAC96

  1. In Casbin, the distinction between User and Role is not as clear as in RBAC96.

    在Casbin中,用户和角色都被视为字符串。 For example, consider the following policy file:

    p, admin, book, read
    p, alice, book, read
    g, amber, admin

    If you call the method GetAllSubjects() using an instance of the Casbin Enforcer:

    e.GetAllSubjects()

    the return value will be:

    [admin alice]

    This is because in Casbin, subjects include both Users and Roles.

    However, if you call the method GetAllRoles():

    e.GetAllRoles()

    the return value will be:

    [admin]

    From this, you can see that there is a distinction between Users and Roles in Casbin, but it is not as sharp as in RBAC96. Of course, you can add a prefix to your policies such as user::alice and role::admin to clarify their relationships.

  2. Casbin RBAC provides more permissions than RBAC96.

    RBAC96 defines only 7 permissions: read, write, append, execute, credit, debit, and inquiry.

    然而,在Casbin中,我们将权限视为字符串。 This allows you to create permissions that better suit your needs.

  3. Casbin RBAC supports domains.

    In Casbin, you can perform authorizations based on domains. This feature makes your Access Control Model more flexible.