yiisoft
Please support multiple domain/tenant or filtering
I want to design a multiple domain/tenant RBAC .
but auth_assignment item_name is primary key.
So I need create roles domain/1/admin , domain/2/admin etc .... then I can assign user to those domains.
But It's hard for manage, because I need add all permission for each domain roles.
I think rbac-db can add a domain id to auth_assignment table.
But not everyone need domain id , so this is not a good idea.
Another way, If use a filter , maybe it can be more flexible , ex:
$myfilter = new DbRbacFilter (1); //
Yii::$app->user->can("user" , "edit" , myfilter);
interface DbRbacFilterInterface {
public function beforeQueryAssignment($query);
}
class DbRbacFilter implement DbRbacFilterInterface {
protected $domainId;
public function __constructor($domain_id) {
$this->domainId = $domain_id;
}
public function beforeQueryAssignment($query) {
$query->where("domain_id" , $this->domainId);
}
}
Then I can add domain_id column to assignment_table .
Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?
Am I correct that you have multiple websites and want a single RBAC hierarchy to manage permissions for all these at once?
No Single site , but has two level organization.
The domain looks like: org/1 org/1/2 org/1/3 org/4
org/1 is parent domain , org/1/2 , org/1/3 is child , org/4 is parent. So I can also assign user to domain org/1/* , this user can access all childs of org/1 and each domain may have more than one manager. each domain have many staff or other roles.
Casbin can support it , I have post a question on there.
https://github.com/php-casbin/php-casbin/issues/55
But casbin has some problem , it always query all data from database when running in classic php page mode(cgi/fpm/fork ...) , .... if I have a lot of users and domains , I think it will be slow.
Can't this be implemented with multiple roles and inheritance? i.e.
*org/1
do_thing_in_1
*org/1/2
do_thing_in_2
*org/1/3
do_thing_in_3
*org/4
do_thing_in_4
User can have org/1 assigned. That will give him permissions from org/1/2 and org/1/3 as well. Also user can be assigned multiple roles such as org/1/2/, org/4.
You mean when I check access
I use Yii::$app->use->can("do_thing_in_1") ?
I think its hard manage for me....
If I add domain column to assignment table , It will be simple. However , I am implementing my own rbac , I rewrite many class . and testing now , but not flexible .. ha ha
Now I add a setDomain in Yii::$app->user; So
Yii::$app->user->setDomain(["org/1" , "org/1/*"]); // beforeAction event , I can set current user is in domain org/1 and all childs
Yii::$app->use->can("updateOrg"); // it means the user can do updateOrg in org/1
I also add some method
Yii::$app->user->getRolesByUserWithDomain(1 , "org/1"); // I can get the user roles in domain org/1 .
This is my current roles , its very simple , no do_thing_in_xxxxx , so easy manage
I think its hard manage for me....
Why? Different domains are usually implemented separately. Thus you still need to explicitly check for concrete permissions there, right?
Because I need design a manage page,I need list who is org admin or staff in each domain.
I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.
- Get role-user assignments. That would give you roles like
store.admin,store.manager,blog.admin,blog.author. - foreach domain such as
storeorblogcollect role-user assignments prefixed with domain path. - Remove domain path to get user role within domain.
RBAC itself may stay the same in this case.
I assume that will be still a single page? That would require some effort to convert paths-like roles into groups by-domain.
- Get role-user assignments. That would give you roles like
store.admin,store.manager,blog.admin,blog.author.- foreach domain such as
storeorblogcollect role-user assignments prefixed with domain path.- Remove domain path to get user role within domain.
RBAC itself may stay the same in this case.
So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right?
But how to use yii->user->can? org/:id/blogPost?
The structure I designed by myself will look like this Very simple and easy for manage.
auth_assignment:
| user | item_name | domain |
|---|---|---|
| 1 | org/admin | org/1 |
| 1 | org/admin | org/1/* |
| 2 | org/admin | org/1/2 |
| 2 | org/staff | org/1/3 |
- user id 1 is org/1 admin and is org/1/* admin
- user id is org/1/2 admin and is org/1/3 staff , so he has different role in different domain
auth_item
| name | type |
|---|---|
| org/admin | 1 |
| org/staff | 1 |
| org/dasboard:view | 2 |
| org/staff:create | 2 |
| org/staff:update | 2 |
| org/staff:view | 2 |
auth_item_child:
| parent | child |
|---|---|
| org/admin | org/staff:create |
| org/admin | org/staff:update |
| org/staff | org/staff:view |
| org/staff | org/dasboard:view |
| org/admin | org/staff |
With this structure, I don’t need to create a lot of roles and permissions.
So I need create many org/:id/blog.admin,org/:id/xxx.roles, and each roles need add many child permissions , right? But how to use yii->user->can? org/:id/blogPost?
Correct.
With this structure, I don’t need to create a lot of roles and permissions.
You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example, org/staff in org/1/2 can view dashboard but org/staff in org/1/3 should not view dashboard.
You are assuming that items hierarchy is reused for all the domains. That saves creating more items but could be a huge problem in case domains will start having different item configurations. For example,
org/staffinorg/1/2can view dashboard butorg/staffinorg/1/3should not view dashboard.
Why this is huge problem? This is I want. Every domain has a dashboard show different info for different domain staff, ex mulitple tanant mall.
It can be desired for you now because all your domains are similar but it will become a huge mess if any of these similar domains will go into different direction.