diff --git a/docs/OrBAC.mdx b/docs/OrBAC.mdx new file mode 100644 index 0000000..08cd97b --- /dev/null +++ b/docs/OrBAC.mdx @@ -0,0 +1,132 @@ +--- +id: orbac +title: OrBAC +description: Organisation-Based Access Control model in Casbin +keywords: + [ + orbac, + organisation-based access control, + organizational access control, + role abstraction, + ] +authors: [casbin] +--- + +## What is the OrBAC model? + +OrBAC stands for Organisation-Based Access Control. It extends traditional RBAC by introducing abstraction layers that separate concrete entities from abstract security policies. This separation enables more flexible and maintainable access control across multiple organizations. + +In OrBAC, access decisions rely on three key abstraction mappings within an organizational context: + +- **Empower**: Maps subjects (users) to roles within organizations +- **Use**: Maps concrete actions to abstract activities within organizations +- **Consider**: Maps concrete objects to abstract views within organizations + +These abstractions allow you to define policies using roles, activities, and views instead of concrete subjects, actions, and objects. This makes policies organization-specific while remaining independent of the actual entities. + +## OrBAC Model Definition + +Here's the OrBAC model configuration: + +```ini +[request_definition] +r = sub, org, obj, act + +[policy_definition] +p = role, activity, view, org + +[role_definition] +g = _, _, _ +g2 = _, _, _ +g3 = _, _, _ + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = g(r.sub, p.role, r.org) && g2(r.act, p.activity, r.org) && g3(r.obj, p.view, r.org) && r.org == p.org +``` + +In this model: + +- `g(r.sub, p.role, r.org)` checks if the subject has the role in the organization (Empower) +- `g2(r.act, p.activity, r.org)` checks if the action corresponds to the activity in the organization (Use) +- `g3(r.obj, p.view, r.org)` checks if the object belongs to the view in the organization (Consider) +- `r.org == p.org` ensures the organization context matches + +## Policy Examples + +**Permission rules** define which roles can perform which activities on which views within an organization: + +```csv +# Permission: role, activity, view, organization +p, manager, modify, document, org1 +p, manager, consult, document, org1 +p, employee, consult, document, org1 +p, manager, modify, report, org2 +p, manager, consult, report, org2 +p, employee, consult, report, org2 +``` + +**Empower rules** assign subjects to roles within organizations: + +```csv +# Empower: subject, role, organization +g, alice, manager, org1 +g, bob, employee, org1 +g, charlie, manager, org2 +g, david, employee, org2 +``` + +**Use rules** map concrete actions to abstract activities: + +```csv +# Use: action, activity, organization +g2, write, modify, org1 +g2, read, consult, org1 +g2, write, modify, org2 +g2, read, consult, org2 +``` + +**Consider rules** map concrete objects to abstract views: + +```csv +# Consider: object, view, organization +g3, data1, document, org1 +g3, data2, document, org1 +g3, report1, report, org2 +g3, report2, report, org2 +``` + +## Code Example + +```go +import "github.com/casbin/casbin/v2" + +e, _ := casbin.NewEnforcer("examples/orbac_model.conf", "examples/orbac_policy.csv") + +// alice is a manager in org1, can read and write documents +ok, _ := e.Enforce("alice", "org1", "data1", "read") // true +ok, _ = e.Enforce("alice", "org1", "data1", "write") // true + +// bob is an employee in org1, can only read documents +ok, _ = e.Enforce("bob", "org1", "data1", "read") // true +ok, _ = e.Enforce("bob", "org1", "data1", "write") // false + +// charlie is a manager in org2, can read and write reports +ok, _ = e.Enforce("charlie", "org2", "report1", "read") // true +ok, _ = e.Enforce("charlie", "org2", "report1", "write") // true + +// Cross-organization access is denied +ok, _ = e.Enforce("alice", "org2", "report1", "read") // false +ok, _ = e.Enforce("charlie", "org1", "data1", "read") // false +``` + +## Benefits + +OrBAC provides several advantages over traditional access control models: + +- **Abstraction**: Policies are defined using abstract security entities (roles, activities, views) rather than concrete ones, making them easier to maintain and adapt +- **Organization Context**: Each organization can have its own policies and mappings while sharing the same underlying security model +- **Flexibility**: You can change concrete entity mappings without modifying the core security policies +- **Scalability**: The abstraction layers reduce policy complexity in multi-organizational environments diff --git a/docs/SupportedModels.mdx b/docs/SupportedModels.mdx index c10fe42..6f2d574 100644 --- a/docs/SupportedModels.mdx +++ b/docs/SupportedModels.mdx @@ -18,11 +18,12 @@ authors: [nodece] 10. **[BLP (Bell-LaPadula)](https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model)**: A formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. 11. **[Biba (Biba Integrity Model)](https://en.wikipedia.org/wiki/Biba_Model)**: A computer security model that restricts information flow in a system to prevent unauthorized disclosure of classified information. 12. **[LBAC (Lattice-Based Access Control)](./LBAC)**: A formal access control model that combines confidentiality and integrity controls in a unified framework, implementing a lattice structure for granular access control decisions. -13. **[UCON (Usage Control)](./UCON)**: A next-generation access control model that emphasizes continuous authorization, attribute mutability, and a unified framework of authorizations, obligations, and conditions. -14. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: Supports paths like "/res/*", "/res/:id", and HTTP methods like "GET", "POST", "PUT", "DELETE". -15. **IP Match**: Supports IP address matching for network-based access control. -16. **Deny-override**: Both allow and deny authorizations are supported, where deny overrides allow. -17. **Priority**: The policy rules can be prioritized, similar to firewall rules. +13. **[OrBAC (Organisation-Based Access Control)](./OrBAC)**: Extends RBAC with abstraction layers that separate concrete entities from abstract security policies, enabling flexible multi-organizational access control. +14. **[UCON (Usage Control)](./UCON)**: A next-generation access control model that emphasizes continuous authorization, attribute mutability, and a unified framework of authorizations, obligations, and conditions. +15. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: Supports paths like "/res/*", "/res/:id", and HTTP methods like "GET", "POST", "PUT", "DELETE". +16. **IP Match**: Supports IP address matching for network-based access control. +17. **Deny-override**: Both allow and deny authorizations are supported, where deny overrides allow. +18. **Priority**: The policy rules can be prioritized, similar to firewall rules. ## Examples @@ -40,6 +41,7 @@ authors: [nodece] | BLP | [blp_model.conf](https://github.com/casbin/casbin/blob/master/examples/blp_model.conf) | N/A | | Biba | [biba_model.conf](https://github.com/casbin/casbin/blob/master/examples/biba_model.conf) | N/A | | LBAC | [lbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/lbac_model.conf) | N/A | +| OrBAC | [orbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/orbac_model.conf) | [orbac_policy.csv](https://github.com/casbin/casbin/blob/master/examples/orbac_policy.csv) | | IP Match | [ipmatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/ipmatch_model.conf) | [ipmatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/ipmatch_policy.csv) | | RESTful | [keymatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf) | [keymatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/keymatch_policy.csv) | | Deny-override | [rbac_with_not_deny_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_not_deny_model.conf) | [rbac_with_deny_policy.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_policy.csv) | diff --git a/docusaurus.config.js b/docusaurus.config.js index be79bf2..543ea3f 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -5,7 +5,7 @@ const darkCodeTheme = require("prism-react-renderer/themes/dracula"); module.exports = { title: "Casbin", tagline: - "An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", + "An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", url: "https://casbin.org", baseUrl: "/", onBrokenLinks: "throw", @@ -18,7 +18,7 @@ module.exports = { { name: "Casbin", content: - "An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", + "An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", }, ], algolia: { diff --git a/sidebars.js b/sidebars.js index 5733ab8..807a44f 100644 --- a/sidebars.js +++ b/sidebars.js @@ -53,6 +53,7 @@ module.exports = { "blp", "biba", "lbac", + "orbac", "priority-model", "ucon", "superadmin", diff --git a/src/pages/index.js b/src/pages/index.js index 6c1e2f1..428484c 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -33,7 +33,7 @@ function HomepageHeader() {

{siteConfig.title}

-

An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir

+

An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir

+ description="An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir">