2

So my understanding of RBAC is that Users have Roles, and Roles have Permissions and there should be a Permission Object mapping.

I'm having a bit of a business logic problem though concerning RBAC. For this problem we have two Roles, Player and GM. I would like the GM to be able to grant read access to certain objects to Players. In theory I need to grant the GM Read permission as well.

 Role   | Permission
 -----------------
 GM     | read_place
 Player | read_place


Object id | Permission
----------------------
1         |  read_place

now both GM's and players could read object with id 1. But if I revoked the permisson on the object neither could.

Object id | Permission  | Role 
-----------------------------------
1         |  read_place | GM

this would allow only GMs to read object 1

 Role   | Permission
 -----------------
 GM     | gm_read_place
 Player | player_read_place

Object id | Permission
-----------------------------------
1         |  gm_read_place

this would allow the gm's to read without players being able to unless the gm granted the permission to the object.

Both solutions feel dirty, am I missing something? is there a better solution?

xenoterracide
  • 322
  • 1
  • 2
  • 11
  • Have you looked at developing Access Control Lists using groups/roles (similar to unix file security)? You will need roles, resource & action. In your case resource will be object id, action will be read and role will be GM. – jhash Oct 04 '15 at 22:02
  • @jhash groups and roles are not synonyms. Unix file security without extensions is a DAC model. – xenoterracide Oct 04 '15 at 22:06
  • You are correct. BTW does the approach work for you or do you have any specific concern about the approach. WRT the documented approach, just wanted to point out that what you are seeing is called "role explosion". – jhash Oct 04 '15 at 22:15
  • @jhash I thought "role explosion" was when I had to create more roles than what seems reasonable (like role type per org in multitenancy). So far I'm not seeing that. I'm just looking to see if there are better solutions than what I've come up with, and advantages/disadvantages to the approaches. – xenoterracide Oct 05 '15 at 04:16

0 Answers0