Policy for RBAC System with domain and resource

[brt-srini-rama]

Hi,
I got to the situation were I think it has overwhelms the Casbin's feature. Please suggest if any suitable model that I can leverage from Casbin to match my use case.

use case is :
UC-1 : userA allowed to perform action on resource_A in certain domain during certain time period in daily basis only during weekdays. and none of the action are allowed on weekends(So I need to differentiate between weekdays and weekends).

UC-2 : userB (Admin) allowed to perform perform action on all resources_All in many domains during all times on all days of the week.

right now I manage to get the use case working up until time restrictions, still could not able to impose day restrictions.
To make this working up to timing restrictions I have used almost all the "request" and "policy" rules fields, I mean I used all the 6 columns/fields (sub, dom, res, action1, action2) of the Casbin's
here is my model. Example from my policy file is p, User,domain, resource1, booking, create, 8, 20: and later attached the user say "Shri" to this role using g function as below. g, Shri, User, domain

[request_definition]
r = sub, dom, obj, act1, act2, time

[policy_definition]
; start time and end time should be 0 - 24 Hrs bound value
p = sub, dom, obj, act1, act2, strt_time, end_time

[role_definition]
;User Role mapping with subject
g = _, _, _
;Admin Role mapping with subject
g2 = _, _, _
;Desk Role maping with desk entity
g3 = _, _
;Room Role mapping with room entity
g4 = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = ((g(r.sub, p.sub, r.dom) || g2(r.obj, p.obj, r.dom)) && (g3(r.obj, p.obj) || g4(r.obj, p.obj)) && (r.act2 == p.act2 && r.act1 == p.act1) && ((r.time >= p.strt_time && r.time < p.end_time) || isAdmin(r.sub, r.dom)))

In the above matcher function, isAdmin(r.sub, r.dom) is my custom matcher function registered to identify whether a user is a Admin user or the normal user, it will return true if the user is Admin, so in the matcher condition ((r.time >= p.strt_time && r.time < p.end_time) || isAdmin(r.sub, r.dom)) will exclude the timing restriction for him.

Now to add the day restriction, I am really hanged up, I still tried the following policy definition in .csv file p, Weekdays, Mon, Tue, Wed, Thu, fri but I am confused how to validate this policy rule again the request arguments which does not have a "day" field in my request_definition.

Please suggest any suitable model I should strict to make this scenarios covered.

Thanks in Advance.
Srini.

[hsluoyz]

@nodece @GopherJ

[jkour]

@brt-srini-rama How do you define the times? It is like a setting in the application?

And what happens and userA is restricted? Does an admin go and disable access or it is a kind of business rule that is imposed by operations? I can imagine a store which allows userA to do things during operation time.

If the times are not directly linked to specific users this means you do not need an explicit policy for this; then you may be able to restrict access by writing a custom function

[brt-srini-rama]

Hi Thanks,
Yes, Its is same as like an operator getting in to the shop for his morning duty, and the the system should validate his access based on his tap-in time from his access card. If the tap-In time is before his duty time, then the system should not allow him an access by not opening the door. All time are a Unix timestamp derived from the command date "+%s".
Basically I need to have a Policy mapped to a Role which restrict the user to perform activity(Opening) on certain resource (in this case a resource is door) only during an allowed time of the days in a weekdays. and there can be an another policy which would deny him performing actions on resources during weekends.

[jkour]

Do you manage the data from the access card in this same application or do you retrieve them from another server?

It seems to me that your model can be significantly simplified if you use a custom function. So, your policy may look like this:
p, userA, door-access

and then the matcher can include

(r.userID = p.userID) && (r.resource = p.resource) && IsUserInShift(r.UserID)

In IsUserInShift function you take the userID and check the access card data and evaluete whether the result is return true/false.

In this scenario, your enforcement is simply casbin.enforce('userA, door-access')

I may miss some details now as I writing on top of my head but you can see the approach.

[brt-srini-rama]

OKay, but suppose consider there are three different shift with different timing and different resources(Access-Door) and also they all bound to certain domain(Eg, The worker is allowed to work only on certain floor), and there are many workers works in different shifts . So I need to create the policy group and need to place different workers to different policy groups. Which means I need to use the Casbin's domain relations as well. By writing custom function do I need to iterate through the policy definition to match the timing and domain rules defined in the policy.csv file?

[jkour]

p, shiftA, floor_one, door_access
p, shiftA, floor_one, toilet_access
p, shiftA, floor_two, door_access
...and other shifts, and resources

g, userA, shiftA
g, userB, shiftA,
...and other users and shifts
In this case you may not need the custom function

But now you need to dynamically update the g's all the time when users change shifts.
How do you get the shift data? In your applications? externally stored? In what I write here you remove the shift allocation from casbin to your business logic and code

[0x8f701]

@brt-srini-rama The latest release: https://github.com/casbin/casbin/releases/tag/v2.3.0 may help solving your problem. You can visit: https://casbin.org/docs/en/abac#scaling-the-model-for-complex-and-large-number-of-abac-rules for the detail documenation.

[brt-srini-rama]

Yes, on the first look, it seems very flexible, let me try this out... right now I am using my custom functions to handle every conditions...

Once again thanks for pointing me this feature.

[hsluoyz]

Closed as resolved.