Open pigochu opened 4 years ago
Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?
Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?
No Single site , but has two level organization.
The domain looks like: org/1 org/1/2 org/1/3 org/4
org/1 is parent domain , org/1/2 , org/1/3 is child , org/4 is parent. So I can also assign user to domain org/1/* , this user can access all childs of org/1 and each domain may have more than one manager. each domain have many staff or other roles.
Casbin can support it , I have post a question on there.
https://github.com/php-casbin/php-casbin/issues/55
But casbin has some problem , it always query all data from database when running in classic php page mode(cgi/fpm/fork ...) , .... if I have a lot of users and domains , I think it will be slow.
Can't this be implemented with multiple roles and inheritance? i.e.
*org/1
do_thing_in_1
*org/1/2
do_thing_in_2
*org/1/3
do_thing_in_3
*org/4
do_thing_in_4
User can have org/1
assigned. That will give him permissions from org/1/2
and org/1/3
as well. Also user can be assigned multiple roles such as org/1/2/
, org/4
.
You mean when I check access
I use Yii::$app->use->can("do_thing_in_1") ?
I think its hard manage for me....
If I add domain column to assignment table , It will be simple. However , I am implementing my own rbac , I rewrite many class . and testing now , but not flexible .. ha ha
Now I add a setDomain in Yii::$app->user; So
Yii::$app->user->setDomain(["org/1" , "org/1/*"]); // beforeAction event , I can set current user is in domain org/1 and all childs
Yii::$app->use->can("updateOrg"); // it means the user can do updateOrg in org/1
I also add some method
Yii::$app->user->getRolesByUserWithDomain(1 , "org/1"); // I can get the user roles in domain org/1 .
This is my current roles , its very simple , no do_thing_in_xxxxx , so easy manage
I think its hard manage for me....
Why? Different domains are usually implemented separately. Thus you still need to explicitly check for concrete permissions there, right?
Because I need design a manage page,I need list who is org admin or staff in each domain.
I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.
store.admin
, store.manager
, blog.admin
, blog.author
.store
or blog
collect role-user assignments prefixed with domain path.RBAC itself may stay the same in this case.
I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.
- Get role-user assignments. That would give you roles like
store.admin
,store.manager
,blog.admin
,blog.author
.- foreach domain such as
store
orblog
collect role-user assignments prefixed with domain path.- Remove domain path to get user role within domain.
RBAC itself may stay the same in this case.
So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right?
But how to use yii->user->can? org/:id/blogPost?
The structure I designed by myself will look like this Very simple and easy for manage.
auth_assignment:
user | item_name | domain |
---|---|---|
1 | org/admin | org/1 |
1 | org/admin | org/1/* |
2 | org/admin | org/1/2 |
2 | org/staff | org/1/3 |
auth_item
name | type |
---|---|
org/admin | 1 |
org/staff | 1 |
org/dasboard:view | 2 |
org/staff:create | 2 |
org/staff:update | 2 |
org/staff:view | 2 |
auth_item_child: | parent | child |
---|---|---|
org/admin | org/staff:create | |
org/admin | org/staff:update | |
org/staff | org/staff:view | |
org/staff | org/dasboard:view | |
org/admin | org/staff |
With this structure, I don’t need to create a lot of roles and permissions.
So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right? But how to use yii->user->can? org/:id/blogPost?
Correct.
With this structure, I don’t need to create a lot of roles and permissions.
You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example, org/staff
in org/1/2
can view dashboard but org/staff
in org/1/3
should not view dashboard.
You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example,
org/staff
inorg/1/2
can view dashboard butorg/staff
inorg/1/3
should not view dashboard.
Why this is huge problem? This is I want. Every domain has a dashboard show different info for different domain staff, ex mulitple tanant mall.
It can be desired for you now because all your domains are similar but it will become a huge mess if any of these similar domains will go into different direction.
I want to design a multiple domain/tenant RBAC .
but auth_assignment item_name is primary key.
So I need create roles domain/1/admin , domain/2/admin etc .... then I can assign user to those domains.
But It's hard for manage, because I need add all permission for each domain roles.
I think rbac-db can add a domain id to auth_assignment table.
But not everyone need domain id , so this is not a good idea.
Another way, If use a filter , maybe it can be more flexible , ex:
Then I can add domain_id column to assignment_table .