Please support multiple domain/tenant or filtering

[pigochu]

I want to design a multiple domain/tenant RBAC .

but auth_assignment item_name is primary key.

So I need create roles domain/1/admin , domain/2/admin etc .... then I can assign user to those domains.

But It's hard for manage, because I need add all permission for each domain roles.

I think rbac-db can add a domain id to auth_assignment table.

But not everyone need domain id , so this is not a good idea.

Another way, If use a filter , maybe it can be more flexible , ex:

$myfilter = new DbRbacFilter (1); // 
Yii::$app->user->can("user" , "edit" , myfilter);

interface DbRbacFilterInterface {
    public function beforeQueryAssignment($query);
}
class DbRbacFilter implement DbRbacFilterInterface  {
        protected $domainId;
        public function __constructor($domain_id) {
             $this->domainId = $domain_id;
        }
    public function beforeQueryAssignment($query) {
             $query->where("domain_id" , $this->domainId);
        }
}

Then I can add domain_id column to assignment_table .

[samdark]

Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?

[pigochu]

Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?

No Single site , but has two level organization.

The domain looks like: org/1 org/1/2 org/1/3 org/4

org/1 is parent domain , org/1/2 , org/1/3 is child , org/4 is parent. So I can also assign user to domain org/1/* , this user can access all childs of org/1 and each domain may have more than one manager. each domain have many staff or other roles.

[pigochu]

Casbin can support it , I have post a question on there.

https://github.com/php-casbin/php-casbin/issues/55

But casbin has some problem , it always query all data from database when running in classic php page mode(cgi/fpm/fork ...) , .... if I have a lot of users and domains , I think it will be slow.

[samdark]

Can't this be implemented with multiple roles and inheritance? i.e.

*org/1
  do_thing_in_1
  *org/1/2
    do_thing_in_2
  *org/1/3
    do_thing_in_3
*org/4
    do_thing_in_4

User can have org/1 assigned. That will give him permissions from org/1/2 and org/1/3 as well. Also user can be assigned multiple roles such as org/1/2/, org/4.

[pigochu]

You mean when I check access I use Yii::$app->use->can("do_thing_in_1") ?

I think its hard manage for me....

If I add domain column to assignment table , It will be simple. However , I am implementing my own rbac , I rewrite many class . and testing now , but not flexible .. ha ha

Now I add a setDomain in Yii::$app->user; So

Yii::$app->user->setDomain(["org/1" , "org/1/*"]); // beforeAction event , I can set current user is in domain org/1 and all childs
Yii::$app->use->can("updateOrg"); // it means the user can do updateOrg in org/1

I also add some method

Yii::$app->user->getRolesByUserWithDomain(1 , "org/1"); // I can get the user roles in domain org/1 .

This is my current roles , its very simple , no do_thing_in_xxxxx , so easy manage

[samdark]

I think its hard manage for me....

Why? Different domains are usually implemented separately. Thus you still need to explicitly check for concrete permissions there, right?

[pigochu]

Because I need design a manage page,I need list who is org admin or staff in each domain.

[samdark]

I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.

1. Get role-user assignments. That would give you roles like store.admin, store.manager, blog.admin, blog.author.
2. foreach domain such as store or blog collect role-user assignments prefixed with domain path.
3. Remove domain path to get user role within domain.

RBAC itself may stay the same in this case.

[pigochu]

I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.

1. Get role-user assignments. That would give you roles like store.admin, store.manager, blog.admin, blog.author.
2. foreach domain such as store or blog collect role-user assignments prefixed with domain path.
3. Remove domain path to get user role within domain.

RBAC itself may stay the same in this case.

So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right?

But how to use yii->user->can? org/:id/blogPost?

[pigochu]

The structure I designed by myself will look like this Very simple and easy for manage.

auth_assignment:

user	item_name	domain
1	org/admin	org/1
1	org/admin	org/1/*
2	org/admin	org/1/2
2	org/staff	org/1/3

• user id 1 is org/1 admin and is org/1/* admin
• user id is org/1/2 admin and is org/1/3 staff , so he has different role in different domain

auth_item

name	type
org/admin	1
org/staff	1
org/dasboard:view	2
org/staff:create	2
org/staff:update	2
org/staff:view	2

auth_item_child:	parent	child
org/admin	org/staff:create
org/admin	org/staff:update
org/staff	org/staff:view
org/staff	org/dasboard:view
org/admin	org/staff

With this structure, I don’t need to create a lot of roles and permissions.

[samdark]

So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right? But how to use yii->user->can? org/:id/blogPost?

Correct.

With this structure, I don’t need to create a lot of roles and permissions.

You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example, org/staff in org/1/2 can view dashboard but org/staff in org/1/3 should not view dashboard.

[pigochu]

You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example, org/staff in org/1/2 can view dashboard but org/staff in org/1/3 should not view dashboard.

Why this is huge problem? This is I want. Every domain has a dashboard show different info for different domain staff, ex mulitple tanant mall.

[samdark]

It can be desired for you now because all your domains are similar but it will become a huge mess if any of these similar domains will go into different direction.