Method of defining Role hierarchy?
zolrath opened this issue · comments
In the case of having roles such as ADMIN, MANAGER, REP, USER while defining the lower tier of rules
for a User in this case:
{
target: ['any-of',
{type: "role", value: "ADMIN"},
{type: "role", value: "MANAGER"},
{type: "role", value: "REP"},
{type: "role", value: "USER"},
],
effect: 'permit'
}
it appears that I must do an 'any-of' and supply every more privileged role in the rule.
Is there a method of defining that ADMIN > MANAGER > REP > USER, allowing something akin to a greater-than or equal to rule type: "role", gte: "USER"
This rbac plugin, as it is now, has no knowledge on data. It means that it is not possible to infer hierarchies.
But, you can play with the rules/effects. If you want to grant access to:
(1) All except USER, then:
{
apply: 'deny-overrides', // DENY if at least one deny applies
rules: [
{
target: ['any-of',
{type: "role", value: "USER"}
],
effect: 'deny'
},
{
effect: 'permit' // always applies, overridden by the first rule if applicable
}
]
}
(2) All, except USER and REP:
{
apply: 'deny-overrides', // DENY if at least one deny applies
rules: [
{
target: ['any-of',
{type: "role", value: "USER"},
{type: "role", value: "REP"}
],
effect: 'deny'
},
{
effect: 'permit' // always applies, overridden by the first rule if applicable
}
]
}
Only ADMIN and MANAGER (same as 2, in this case):
{
apply: 'permit-overrides', // PERMIT if at least one permit applies
rules: [
{
target: ['any-of',
{type: "role", value: "ADMIN"},
{type: "role", value: "MANAGER"}
],
effect: 'permit'
},
{
effect: 'deny' // always applies, overridden by the first rule if applicable
}
]
}
Edit: Added policy. If no rule applies, then the result is undetermined
and access is denied. For it to work, you need to define one rule which applies by default.