transitivity not respected

[zamrokk]

if I create a new group of resource from the base example, then Alice is not able to access to resources contains on this new group but only the group itself

p, alice, data1,   read
p, bob, data2, write
p, data2_admin, data2, read
p, data2_admin, data2, write
g, alice, data2_admin
g, data3, datagroup
p, data2_admin, datagroup, read

if I request like this

{
    "user":"alice",
    "resource":"data3",
    "action":"read"
}

then the answer is : NO , expected is : YES

proof :

• alice belongs to data2_admin
• data3 belongs to datagroup
• permission is given READ for group of user data2_admin on group of resource datagroup by transitivity alice should be able to READ data3

[zamrokk]

Fixed by :

[matchers]
m = g(r.sub, p.sub) && g(r.obj, p.obj) && r.act == p.act

why it was not set by default ? :/

Well it works

[hsluoyz]

Hi @zamrokk , your solution is not robust as you are mixing resource roles with user roles. If you happen to have a user named data3, and a role named datagroup. The former will inherit the latter based on your policy. The correct way is to use g2 for resource roles.

g, alice, data2_admin
g2, data3, datagroup

See RBAC with resource roles at: https://github.com/casbin/jcasbin#examples

[zamrokk]

yes correct , I understand it better now :)

thanks for the info :P