Add Rbac with domain and resource roles model example .

[selfuppen]

I want to use the Rbac with domain combining with resource roles model, but there is no examples or documents.

My case is below: rbac_with_resource_roles_and_domain_policy.csv

p, data_group_admin, domain1, data_group, read
p, data_group_admin, domain1, data_group, write
p, data_group_admin, domain2, data_group2, read
p, data_group_admin, domain2, data_group2, write

g, alice, data_group_admin, domain1
g, bob, data_group_admin, domain2

g2, data1, data_group
g2, data2, data_group2

Tests

 @Test
    public void myTest() {
        Enforcer e = new Enforcer("examples/rbac_with_resource_roles_and_domain_model.conf", "examples/rbac_with_resource_roles_and_domain_policy.csv");

        testDomainEnforce(e, "alice", "domain1", "data1", "read", true);
        testDomainEnforce(e, "alice", "domain1", "data1", "write", true);
        testDomainEnforce(e, "alice", "domain1", "data2", "read", false);
        testDomainEnforce(e, "alice", "domain1", "data2", "write", false);
        testDomainEnforce(e, "alice", "domain2", "data1", "read", false);
        testDomainEnforce(e, "alice", "domain2", "data1", "write", false);
        testDomainEnforce(e, "alice", "domain2", "data2", "read", false);
        testDomainEnforce(e, "alice", "domain2", "data2", "write", false);

        testDomainEnforce(e, "bob", "domain1", "data2", "read", false);
        testDomainEnforce(e, "bob", "domain1", "data2", "write", false);
        testDomainEnforce(e, "bob", "domain1", "data1", "read", false);
        testDomainEnforce(e, "bob", "domain1", "data1", "write", false);
        testDomainEnforce(e, "bob", "domain2", "data1", "read", false);
        testDomainEnforce(e, "bob", "domain2", "data1", "write", false);
        testDomainEnforce(e, "bob", "domain2", "data2", "read", true);
        testDomainEnforce(e, "bob", "domain2", "data2", "write", true);
    }

rbac_with_resource_roles_and_domain_model.conf

[request_definition]
r = sub, dom, obj, act
[policy_definition]
p = sub, dom, obj, act
[role_definition]
g = _, _, _
g2 = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
# won't work
m = g(r.sub, p.sub, r.dom) && g2(r.obj, p.obj) && r.dom == p.dom && r.obj == p.obj && r.act == p.act

My question is how can I define my model （especially the [matchers]）.

When I found some similar cases ,but I'm even more confused: the class src/test/java/org/casbin/jcasbin/main/GroupRoleManagerTest.java use group_with_domain_model ,but the test seems to be the opposite completely. In my humble opinion, the request testDomainEnforce(e, "alice", "domain1", "data1", "read", false); should not be true rather than false?

---

request in GroupRoleManagerTest.java:

 @Test
    public void testGroupRoleManager() {
        Enforcer e = new Enforcer("examples/group_with_domain_model.conf", "examples/group_with_domain_policy.csv");
        testDomainEnforce(e, "alice", "domain1", "data1", "read", false);
    }

group_with_domain_model.csv

p, admin, domain1, data1, read
g, alice, group1
g2, group1, admin, domain1

group_with_domain_model.conf

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _,_
g2 = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = (g(r.sub, p.sub) || g2(r.sub, p.sub, r.dom)) && r.obj == p.obj && r.act == p.act

Tell me if you need more information. Thank you!

[casbin-bot]

@tangyang9464 @imp2002

[selfuppen]

OK, I finally make it out. The correct Model is

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _
g2 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && g2(r.obj, p.obj) && r.dom == p.dom && r.act == p.act

So, If there is nothing wrong , I would love to propose an rbac_with_resource_roles_and_domain example PR.

[hsluoyz]

@selfuppen PR is welcome!