From d7011f184d0dcb5cc6777ce60436a2d9ad72484e Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 1 Nov 2025 06:20:27 +0000 Subject: [PATCH 1/4] Initial plan From 2ef6744253322a68c40356bc5f38877db19afcb7 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 1 Nov 2025 06:38:14 +0000 Subject: [PATCH 2/4] Add OrBAC documentation based on PR #1567 Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com> --- docs/OrBAC.mdx | 130 +++++++++++++++++++++++++++++++++++++++ docs/SupportedModels.mdx | 12 ++-- sidebars.js | 1 + 3 files changed, 138 insertions(+), 5 deletions(-) create mode 100644 docs/OrBAC.mdx diff --git a/docs/OrBAC.mdx b/docs/OrBAC.mdx new file mode 100644 index 0000000..738744d --- /dev/null +++ b/docs/OrBAC.mdx @@ -0,0 +1,130 @@ +--- +id: orbac +title: OrBAC +description: Organisation-Based Access Control model in Casbin +keywords: + [ + orbac, + organisation-based access control, + organizational access control, + role abstraction, + ] +authors: [casbin] +--- + +## What is the OrBAC model? + +OrBAC stands for Organisation-Based Access Control. It extends traditional RBAC by introducing abstraction layers that separate concrete entities from abstract security policies. This separation enables more flexible and maintainable access control across multiple organizations. + +In OrBAC, access decisions rely on three key abstraction mappings within an organizational context: + +- **Empower**: Maps subjects (users) to roles within organizations +- **Use**: Maps concrete actions to abstract activities within organizations +- **Consider**: Maps concrete objects to abstract views within organizations + +These abstractions allow you to define policies using roles, activities, and views instead of concrete subjects, actions, and objects. This makes policies organization-specific while remaining independent of the actual entities. + +## OrBAC Model Definition + +Here's the OrBAC model configuration: + +```ini +[request_definition] +r = sub, org, obj, act + +[policy_definition] +p = role, activity, view, org + +[role_definition] +g = _, _, _ +g2 = _, _, _ +g3 = _, _, _ + +[policy_effect] +e = some(where (p.eft == allow)) + +[matchers] +m = g(r.sub, p.role, r.org) && g2(r.act, p.activity, r.org) && g3(r.obj, p.view, r.org) && r.org == p.org +``` + +In this model: + +- `g(r.sub, p.role, r.org)` checks if the subject has the role in the organization (Empower) +- `g2(r.act, p.activity, r.org)` checks if the action corresponds to the activity in the organization (Use) +- `g3(r.obj, p.view, r.org)` checks if the object belongs to the view in the organization (Consider) +- `r.org == p.org` ensures the organization context matches + +## Policy Examples + +**Permission rules** define which roles can perform which activities on which views within an organization: + +```csv +# Permission: role, activity, view, organization +p, manager, modify, document, org1 +p, manager, consult, document, org1 +p, employee, consult, document, org1 +p, manager, modify, report, org2 +p, manager, consult, report, org2 +p, employee, consult, report, org2 +``` + +**Empower rules** assign subjects to roles within organizations: + +```csv +# Empower: subject, role, organization +g, alice, manager, org1 +g, bob, employee, org1 +g, charlie, manager, org2 +g, david, employee, org2 +``` + +**Use rules** map concrete actions to abstract activities: + +```csv +# Use: action, activity, organization +g2, write, modify, org1 +g2, read, consult, org1 +g2, write, modify, org2 +g2, read, consult, org2 +``` + +**Consider rules** map concrete objects to abstract views: + +```csv +# Consider: object, view, organization +g3, data1, document, org1 +g3, data2, document, org1 +g3, report1, report, org2 +g3, report2, report, org2 +``` + +## Code Example + +```go +e, _ := NewEnforcer("examples/orbac_model.conf", "examples/orbac_policy.csv") + +// alice is a manager in org1, can read and write documents +ok, _ := e.Enforce("alice", "org1", "data1", "read") // true +ok, _ = e.Enforce("alice", "org1", "data1", "write") // true + +// bob is an employee in org1, can only read documents +ok, _ = e.Enforce("bob", "org1", "data1", "read") // true +ok, _ = e.Enforce("bob", "org1", "data1", "write") // false + +// charlie is a manager in org2, can read and write reports +ok, _ = e.Enforce("charlie", "org2", "report1", "read") // true +ok, _ = e.Enforce("charlie", "org2", "report1", "write") // true + +// Cross-organization access is denied +ok, _ = e.Enforce("alice", "org2", "report1", "read") // false +ok, _ = e.Enforce("charlie", "org1", "data1", "read") // false +``` + +## Benefits + +OrBAC provides several advantages over traditional access control models: + +- **Abstraction**: Policies are defined using abstract security entities (roles, activities, views) rather than concrete ones, making them easier to maintain and adapt +- **Organization Context**: Each organization can have its own policies and mappings while sharing the same underlying security model +- **Flexibility**: You can change concrete entity mappings without modifying the core security policies +- **Scalability**: The abstraction layers reduce policy complexity in multi-organizational environments diff --git a/docs/SupportedModels.mdx b/docs/SupportedModels.mdx index c10fe42..6f2d574 100644 --- a/docs/SupportedModels.mdx +++ b/docs/SupportedModels.mdx @@ -18,11 +18,12 @@ authors: [nodece] 10. **[BLP (Bell-LaPadula)](https://en.wikipedia.org/wiki/Bell%E2%80%93LaPadula_model)**: A formal state transition model of computer security policy that describes a set of access control rules which use security labels on objects and clearances for subjects. 11. **[Biba (Biba Integrity Model)](https://en.wikipedia.org/wiki/Biba_Model)**: A computer security model that restricts information flow in a system to prevent unauthorized disclosure of classified information. 12. **[LBAC (Lattice-Based Access Control)](./LBAC)**: A formal access control model that combines confidentiality and integrity controls in a unified framework, implementing a lattice structure for granular access control decisions. -13. **[UCON (Usage Control)](./UCON)**: A next-generation access control model that emphasizes continuous authorization, attribute mutability, and a unified framework of authorizations, obligations, and conditions. -14. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: Supports paths like "/res/*", "/res/:id", and HTTP methods like "GET", "POST", "PUT", "DELETE". -15. **IP Match**: Supports IP address matching for network-based access control. -16. **Deny-override**: Both allow and deny authorizations are supported, where deny overrides allow. -17. **Priority**: The policy rules can be prioritized, similar to firewall rules. +13. **[OrBAC (Organisation-Based Access Control)](./OrBAC)**: Extends RBAC with abstraction layers that separate concrete entities from abstract security policies, enabling flexible multi-organizational access control. +14. **[UCON (Usage Control)](./UCON)**: A next-generation access control model that emphasizes continuous authorization, attribute mutability, and a unified framework of authorizations, obligations, and conditions. +15. **[RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer)**: Supports paths like "/res/*", "/res/:id", and HTTP methods like "GET", "POST", "PUT", "DELETE". +16. **IP Match**: Supports IP address matching for network-based access control. +17. **Deny-override**: Both allow and deny authorizations are supported, where deny overrides allow. +18. **Priority**: The policy rules can be prioritized, similar to firewall rules. ## Examples @@ -40,6 +41,7 @@ authors: [nodece] | BLP | [blp_model.conf](https://github.com/casbin/casbin/blob/master/examples/blp_model.conf) | N/A | | Biba | [biba_model.conf](https://github.com/casbin/casbin/blob/master/examples/biba_model.conf) | N/A | | LBAC | [lbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/lbac_model.conf) | N/A | +| OrBAC | [orbac_model.conf](https://github.com/casbin/casbin/blob/master/examples/orbac_model.conf) | [orbac_policy.csv](https://github.com/casbin/casbin/blob/master/examples/orbac_policy.csv) | | IP Match | [ipmatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/ipmatch_model.conf) | [ipmatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/ipmatch_policy.csv) | | RESTful | [keymatch_model.conf](https://github.com/casbin/casbin/blob/master/examples/keymatch_model.conf) | [keymatch_policy.csv](https://github.com/casbin/casbin/blob/master/examples/keymatch_policy.csv) | | Deny-override | [rbac_with_not_deny_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_not_deny_model.conf) | [rbac_with_deny_policy.csv](https://github.com/casbin/casbin/blob/master/examples/rbac_with_deny_policy.csv) | diff --git a/sidebars.js b/sidebars.js index 5733ab8..807a44f 100644 --- a/sidebars.js +++ b/sidebars.js @@ -53,6 +53,7 @@ module.exports = { "blp", "biba", "lbac", + "orbac", "priority-model", "ucon", "superadmin", From 4c708f2edf95fc9cc064fefbc526fb62eef6991a Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 1 Nov 2025 06:42:15 +0000 Subject: [PATCH 3/4] Add import statement to OrBAC code example Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com> --- docs/OrBAC.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/OrBAC.mdx b/docs/OrBAC.mdx index 738744d..08cd97b 100644 --- a/docs/OrBAC.mdx +++ b/docs/OrBAC.mdx @@ -101,7 +101,9 @@ g3, report2, report, org2 ## Code Example ```go -e, _ := NewEnforcer("examples/orbac_model.conf", "examples/orbac_policy.csv") +import "github.com/casbin/casbin/v2" + +e, _ := casbin.NewEnforcer("examples/orbac_model.conf", "examples/orbac_policy.csv") // alice is a manager in org1, can read and write documents ok, _ := e.Enforce("alice", "org1", "data1", "read") // true From 8a77641eae4f3a9f899fc69c2ef994a87abc2aa2 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Sat, 1 Nov 2025 07:53:38 +0000 Subject: [PATCH 4/4] Update frontend with OrBAC and PBAC model references Co-authored-by: nomeguy <85475922+nomeguy@users.noreply.github.com> --- docusaurus.config.js | 4 ++-- src/pages/index.js | 6 +++--- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/docusaurus.config.js b/docusaurus.config.js index be79bf2..543ea3f 100644 --- a/docusaurus.config.js +++ b/docusaurus.config.js @@ -5,7 +5,7 @@ const darkCodeTheme = require("prism-react-renderer/themes/dracula"); module.exports = { title: "Casbin", tagline: - "An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", + "An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", url: "https://casbin.org", baseUrl: "/", onBrokenLinks: "throw", @@ -18,7 +18,7 @@ module.exports = { { name: "Casbin", content: - "An authorization library that supports access control models like ACL, RBAC, ABAC for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", + "An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir", }, ], algolia: { diff --git a/src/pages/index.js b/src/pages/index.js index 6c1e2f1..428484c 100644 --- a/src/pages/index.js +++ b/src/pages/index.js @@ -33,7 +33,7 @@ function HomepageHeader() {

{siteConfig.title}

-

An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir

+

An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir

+ description="An authorization library that supports access control models like ACL, RBAC, ABAC, ReBAC, PBAC, OrBAC, BLP, Biba, LBAC, UCON, Priority, RESTful for Golang, Java, C/C++, Node.js, Javascript, PHP, Laravel, Python, .NET (C#), Delphi, Rust, Ruby, Swift (Objective-C), Lua (OpenResty), Dart (Flutter) and Elixir">