🎉 Visit the new Casbin docs at: casbin.org now! 🥳
Casbin

Casbin

  • Docs
  • API
  • Editor
  • IDE Plugins
  • Single Sign-On (SSO)
  • Forum
  • Help
  • Blog
  • Pricing
  • Contact Sales
  • Languages iconEnglish
    • 中文
    • 한국어
    • Русский
    • Français
    • Deutsch
    • 日本語
    • Help Translate
  • GitHub

›Model

The Basics

  • Overview
  • Get Started
  • How it Works
  • Tutorials

Model

  • Supported Models
  • Syntax for Models
  • Effector
  • Function
  • RBAC
  • RBAC with Pattern
  • RBAC with Domains
  • Casbin RBAC v.s. RBAC96
  • ABAC
  • Priority Model
  • Super Admin

Storage

  • Model Storage
  • Policy Storage
  • Policy Subset Loading

Extensions

  • Enforcers
  • Adapters
  • Watchers
  • Dispatchers
  • Role Managers
  • Middlewares
  • GraphQL Middlewares
  • Cloud Native Middlewares

API

  • API Overview
  • Management API
  • RBAC API
  • RBAC with Domains API
  • RoleManager API
  • Data Permissions

Advanced Usage

  • Multi-threading
  • Benchmarks
  • Performance Optimization
  • Authorization of Kubernetes
  • Authorization of Service Mesh through Envoy

Management

  • Admin Portal
  • Casbin Service
  • Log & Error Handling
  • Frontend Usage

Editor

  • Online Editor
  • IDE Plugins

More

  • Our Adopters
  • Contributing
  • Privacy Policy
  • Terms of Service
Edit

RBAC with Domains

Role definition with domains tenants

The RBAC roles in Casbin can be global or domain-specific. Domain-specify roles mean that the roles for a user can be different when the user is at different domains/tenants. This is very useful for large systems like a cloud, as the users are usually in different tenants.

The role definition with domains/tenants should be something like:

[role_definition]
g = _, _, _

The 3rd _ means the name of domain/tenant, this part should not be changed. Then the policy can be:

p, admin, tenant1, data1, read
p, admin, tenant2, data2, read

g, alice, admin, tenant1
g, alice, user, tenant2

It means admin role in tenant1 can read data1. And alice has admin role in tenant1, and has user role in tenant2. So she can read data1. However, since alice is not an admin in tenant2, she cannot read data2.

Then in a matcher, you should check the role as below:

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

Please see the rbac_with_domains_model.conf for examples.


Last updated on 11/28/2022
← RBAC with PatternCasbin RBAC v.s. RBAC96 →
  • Role definition with domains tenants
Casbin
Docs
Getting StartedManagement APIRBAC APIMiddlewares
Community
Who's using Casbin?Stack Overflow
Casbin          jCasbin
Node-Casbin   PHP-CasbinPyCasbin          Casbin.NETCasbin-CPP        Casbin-RS
Follow @casbinHQ
Copyright © 2022 Casbin Organization