FlatRBAC.AbstractPermission
— Typetype AbstractPermission
Interface methods
- name()::String
- actions()::Vector{String}
- resources()::Vector{String}
- scope()::Scope
- hash()::UInt64
Implementing custom permissions
struct CustomPermission
activity::String
resources::Vector{Symbol}
end
FlatRBAC.name(custom::CustomPermission) = Base.string(CustomPermission)
FlatRBAC.scope(custom::CustomPermission) = FlatRBAC.All
FlatRBAC.actions(custom::CustomPermission) = [custom.activity]
FlatRBAC.resources(custom::CustomPermission) = string.(custom.resources)
FlatRBAC.AbstractRole
— Typetype AbstractRole
Roles are collection of permissions and can be assigned to subjects
Interface methods
name(<:AbstractRole)::String
description(<:AbstractRole)::String
permissions(<:AbstractRole)::Vector{<:AbstractPermission}
hash(<:AbstractRole)::UInt64
FlatRBAC.AbstractSubject
— Typetype AbstractSubject
Interface methods
- id::String
- name::String
- roles::Vector{<:AbstractRole}
- hash()::UInt64
FlatRBAC.Permission
— TypePermission(str::String, description::String="")
Build a Permission from a shorthand representation
Examples
Permission("client:books:read,rent")
# Permission("client", ["books"], ["read", "rent"], "", None)
Permission("client::read,rent") # any resource
# Permission("client", ["*"], ["read", "rent"], "", None)
Permission("admin") # any resource, any actions
# Permission("admin", ["*"], ["*"], "", None)
Permission("staff:books") # any action over books
# Permission(staff:books:*:none)
Permission("multi-rental:books,cds:rent")
# Permission("multi-rental", ["books", "cds"], ["rent"], "", None)
Permission("author:*:update:own", "An author can update their own resources")
# Permission("author", ["*"], ["update"], "An author can update their own resources", Own)
FlatRBAC.Permission
— Typemutable struct Permission <:AbstractPermission
Permissions dot not know who
can perform actions, only what can be performed on resources
rent_book = Permission(name="books", resources=["ulysses"], actions=["read", "rent"])
// alternatively
rent_book = Permission("books:ulysses:read,rent")
FlatRBAC.Role
— Typemutable struct Role <:AbstractRole
Grating permissions
grant!(role, permissions::Permission...)
grant!(role, roles::Role...)
Removing permissions and roles
revoke!(role, permissions::Permission...)
revoke!(role, roles::Role...)
FlatRBAC.Scope
— Typetype Scope
Interface methods
- Base.string(scope::Scope)::String
- iswildcard(scope::Scope)::Bool
- Scope(::Val{:lowercaseName})::Scope
FlatRBAC.Scope
— Methodfunction Scope(str::String)
Construct Scope from a string representation
Examples
abstract type MyScope <:FlatRBAC.Scope end
Base.string(::Type{MyScope}) = "MyScope"
# Implementing this interface significantly improves performance
FlatRBAC.Scope(::Val{:myscope}) = MyScope
# Case insensitive, will check against lowercase representation
@assert FlatRBAC.Scope("MySCOPE") == MyScope "This should not error"
FlatRBAC.Subject
— Typemutable struct Subject <:AbstractSubject
A subject represents and entity interacting with an application
In a flat RBAC model, subjects will obtain permissions from their assigned roles, direct assignment is not supported
Methods
- grant!
- revoke!
FlatRBAC.implies
— MethodNone does not grant Own
FlatRBAC.implies
— MethodChecking against Own defaults to true, devs are responsible for appropriate ownership checks
FlatRBAC.implies
— MethodChecking Own supertype against Own subtypes is always true, devs are responsible for appropriate ownership checks
FlatRBAC.implies
— Methodimplies(this::P, that::P) where P<:AbstractPermission
Check whether a permission implies another permission is also granted
this
must satisfy all [resource
=>actions
...] combinations from that
Example
# A permission to grant an user access to read and list its own data
user_perm = Permission("user_read:database:read,list:own")
implies(user_perm, Permission(":database:read:own")) == true # user can both read and list
implies(user_perm, Permission(":database:read,list,delete:own")) == false # user cannot delete
implies(user_perm, Permission(":database:read:all"), scoped=true) == false # user cannot read in all scope
FlatRBAC.implies
— MethodDefault Scope cases
FlatRBAC.implies
— MethodChecking same scope is always true
FlatRBAC.iswildcard
— Functioniswildcard(str::String)
iswildcard(::Type{<:Scope})
iswildcard(permission::Permission)
iswildcard(grant::Grant)
FlatRBAC.revoke!
— MethodRevoke permission
from role
FlatRBAC.revoke!
— MethodRevoke from base
all permissions from role
FlatRBAC.revoke!
— MethodRevoke set of permissions
from role
FlatRBAC.revoke!
— MethodRevoke role
from subject