Closed zolrath closed 8 years ago
This rbac plugin, as it is now, has no knowledge on data. It means that it is not possible to infer hierarchies.
But, you can play with the rules/effects. If you want to grant access to:
(1) All except USER, then:
{
apply: 'deny-overrides', // DENY if at least one deny applies
rules: [
{
target: ['any-of',
{type: "role", value: "USER"}
],
effect: 'deny'
},
{
effect: 'permit' // always applies, overridden by the first rule if applicable
}
]
}
(2) All, except USER and REP:
{
apply: 'deny-overrides', // DENY if at least one deny applies
rules: [
{
target: ['any-of',
{type: "role", value: "USER"},
{type: "role", value: "REP"}
],
effect: 'deny'
},
{
effect: 'permit' // always applies, overridden by the first rule if applicable
}
]
}
Only ADMIN and MANAGER (same as 2, in this case):
{
apply: 'permit-overrides', // PERMIT if at least one permit applies
rules: [
{
target: ['any-of',
{type: "role", value: "ADMIN"},
{type: "role", value: "MANAGER"}
],
effect: 'permit'
},
{
effect: 'deny' // always applies, overridden by the first rule if applicable
}
]
}
Edit: Added policy. If no rule applies, then the result is undetermined
and access is denied. For it to work, you need to define one rule which applies by default.
In the case of having roles such as ADMIN, MANAGER, REP, USER while defining the lower tier of rules for a User in this case:
it appears that I must do an 'any-of' and supply every more privileged role in the rule. Is there a method of defining that ADMIN > MANAGER > REP > USER, allowing something akin to a greater-than or equal to rule
type: "role", gte: "USER"