PERM Metamodel

Policy Strategy

constitute

• subject(sub Accessed entities )

• object( Resources accessed )

• action(act Access method )

• eft( Strategy results , It is generally empty , If it is empty, it means allow The situation of )(eft There are only two cases ,allow perhaps deny)

The way of writing

[policy_definition]
p = sub,obj,act,( optional eft)

Request Request rules

constitute

• subject(sub Accessed entities )
• object( Resources accessed )
• action(act Access method )

The way of writing ：

[request_definition]
r = sub, obj, act
// and policy similar , Just less eft

Matchers Matching rules

effect ：Request and Policy Matching rules of

The way of writing :

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act
// Meeting the matching conditions eft Will be returned to effect Expression neutralization effect Expression , Look, what comes back is true still false

Effect influence

Writing rules ：

Fixed as the following

role_definition Role domain

g = _,_  Role based 
g = _,_,_  Domain based 

[role definition]
g = _,_  // first _ On behalf of the user , the second _ Representative role 
g =  user , role 

The user model

stay RBAC In the model , Use g Two related roles , They become universal

Like Guo g relation alice and data2_admin, Can be in policy Of sub Write alice/data2_admin This will pass

Multi tenant model

[role_definition] g = _,_,_
 Domain matching rules :g It will receive three parameters 
[matchers] m = g(r.sub,p.sub,r.dom)&&r.dom==p.dom&&r.obj==p.obj&&r.act==p.act

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

Policy

p, admin, domain1, data1, read
p, admin, domain1, data1, write
p, admin, domain1, data2, read
p, admin, domain2, data2, read
p, admin, domain2, data2, write

g, alice, admin, domain1
g, bob, admin, domain2

Request

alice, domain1, data2, read

Result

true

Instance flow ：

According to rules r.sub and r.dom Will look for p.sub, We are Policy According to the g find alice,admin,domain1 Medium admin in other words alice and admin It is equivalent. , Then we check policy In the rules , We found that According to the following matching rules data2 = data2 ,read = read2 You can export

p,admin,domain1,data2,read This record , Is there , So back true

Actual operation

Save the configuration rules to the database

go get github.com/casbin/gorm-adapter/v3

func main() {
    

	a, _ := gormadapter.NewAdapter("mysql", "root:[email protected](127.0.0.1:3306)/casbin", true) // Your driver and data source.
	e, _ := casbin.NewEnforcer("./model.conf", a)
	sub := "alice" //  Users who want to access resources 
	obj := "data1" //  Resources to be accessed 
	act := "read"  //  Operations performed by users on resources 
	added, err := e.AddPolicy("alice", "data1", "read")
	fmt.Println(added)
	fmt.Println(err)
	ok, err := e.Enforce(sub, obj, act)
	if err != nil {
    
		fmt.Println(" Do you eat oil cake ")
		fmt.Printf("%s", err)
		return 
	}
	if ok == true {
    
		fmt.Println(" litchi ")
	} else {
    
		fmt.Println(" Susan ")
	}
}

Yes Policy Addition, deletion and modification of

	filterPolicy := e.GetFilteredPolicy(0, "alice")// Inquire about index by 0 in , The name is alice The elements of 
	fmt.Println(filterPolicy)
//[[alice data1 read] [alice data2 read]]
// litchi 

add to RBAC Mapping

policy.csv

[role_definition]
g = _,_
[matchers]
m = g(r.sub,p.sub) && r.obj == p.obj && r.act == p.act
// You need to add... To the matching group g(r.sub, p.sub) The relationship between 

main.go