An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Overview

Casbin

Go Report Card Build Status Coverage Status Godoc Release Gitter Sourcegraph

News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/

casbin Logo

Casbin is a powerful and efficient open-source access control library for Golang projects. It provides support for enforcing authorization based on various access control models.

All the languages supported by Casbin:

golang java nodejs php
Casbin jCasbin node-Casbin PHP-Casbin
production-ready production-ready production-ready production-ready
python dotnet c++ rust
PyCasbin Casbin.NET Casbin-CPP Casbin-RS
production-ready production-ready beta-test production-ready

Table of contents

Supported models

  1. ACL (Access Control List)
  2. ACL with superuser
  3. ACL without users: especially useful for systems that don't have authentication or user log-ins.
  4. ACL without resources: some scenarios may target for a type of resources instead of an individual resource by using permissions like write-article, read-log. It doesn't control the access to a specific article or log.
  5. RBAC (Role-Based Access Control)
  6. RBAC with resource roles: both users and resources can have roles (or groups) at the same time.
  7. RBAC with domains/tenants: users can have different role sets for different domains/tenants.
  8. ABAC (Attribute-Based Access Control): syntax sugar like resource.Owner can be used to get the attribute for a resource.
  9. RESTful: supports paths like /res/*, /res/:id and HTTP methods like GET, POST, PUT, DELETE.
  10. Deny-override: both allow and deny authorizations are supported, deny overrides the allow.
  11. Priority: the policy rules can be prioritized like firewall rules.

How it works?

In Casbin, an access control model is abstracted into a CONF file based on the PERM metamodel (Policy, Effect, Request, Matchers). So switching or upgrading the authorization mechanism for a project is just as simple as modifying a configuration. You can customize your own access control model by combining the available models. For example, you can get RBAC roles and ABAC attributes together inside one model and share one set of policy rules.

The most basic and simplest model in Casbin is ACL. ACL's model CONF is:

# Request definition
[request_definition]
r = sub, obj, act

# Policy definition
[policy_definition]
p = sub, obj, act

# Policy effect
[policy_effect]
e = some(where (p.eft == allow))

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

An example policy for ACL model is like:

p, alice, data1, read
p, bob, data2, write

It means:

  • alice can read data1
  • bob can write data2

We also support multi-line mode by appending '\' in the end:

# Matchers
[matchers]
m = r.sub == p.sub && r.obj == p.obj \
  && r.act == p.act

Further more, if you are using ABAC, you can try operator in like following in Casbin golang edition (jCasbin and Node-Casbin are not supported yet):

# Matchers
[matchers]
m = r.obj == p.obj && r.act == p.act || r.obj in ('data2', 'data3')

But you SHOULD make sure that the length of the array is MORE than 1, otherwise there will cause it to panic.

For more operators, you may take a look at govaluate

Features

What Casbin does:

  1. enforce the policy in the classic {subject, object, action} form or a customized form as you defined, both allow and deny authorizations are supported.
  2. handle the storage of the access control model and its policy.
  3. manage the role-user mappings and role-role mappings (aka role hierarchy in RBAC).
  4. support built-in superuser like root or administrator. A superuser can do anything without explict permissions.
  5. multiple built-in operators to support the rule matching. For example, keyMatch can map a resource key /foo/bar to the pattern /foo*.

What Casbin does NOT do:

  1. authentication (aka verify username and password when a user logs in)
  2. manage the list of users or roles. I believe it's more convenient for the project itself to manage these entities. Users usually have their passwords, and Casbin is not designed as a password container. However, Casbin stores the user-role mapping for the RBAC scenario.

Installation

go get github.com/casbin/casbin

Documentation

https://casbin.org/docs/en/overview

Online editor

You can also use the online editor (https://casbin.org/editor/) to write your Casbin model and policy in your web browser. It provides functionality such as syntax highlighting and code completion, just like an IDE for a programming language.

Tutorials

https://casbin.org/docs/en/tutorials

Get started

  1. New a Casbin enforcer with a model file and a policy file:

    e, _ := casbin.NewEnforcer("path/to/model.conf", "path/to/policy.csv")

Note: you can also initialize an enforcer with policy in DB instead of file, see Policy-persistence section for details.

  1. Add an enforcement hook into your code right before the access happens:

    sub := "alice" // the user that wants to access a resource.
    obj := "data1" // the resource that is going to be accessed.
    act := "read" // the operation that the user performs on the resource.
    
    if res := e.Enforce(sub, obj, act); res {
        // permit alice to read data1
    } else {
        // deny the request, show an error
    }
  2. Besides the static policy file, Casbin also provides API for permission management at run-time. For example, You can get all the roles assigned to a user as below:

    roles, _ := e.GetImplicitRolesForUser(sub)

See Policy management APIs for more usage.

Policy management

Casbin provides two sets of APIs to manage permissions:

  • Management API: the primitive API that provides full support for Casbin policy management.
  • RBAC API: a more friendly API for RBAC. This API is a subset of Management API. The RBAC users could use this API to simplify the code.

We also provide a web-based UI for model management and policy management:

model editor

policy editor

Policy persistence

https://casbin.org/docs/en/adapters

Policy consistence between multiple nodes

https://casbin.org/docs/en/watchers

Role manager

https://casbin.org/docs/en/role-managers

Benchmarks

https://casbin.org/docs/en/benchmark

Examples

Model Model file Policy file
ACL basic_model.conf basic_policy.csv
ACL with superuser basic_model_with_root.conf basic_policy.csv
ACL without users basic_model_without_users.conf basic_policy_without_users.csv
ACL without resources basic_model_without_resources.conf basic_policy_without_resources.csv
RBAC rbac_model.conf rbac_policy.csv
RBAC with resource roles rbac_model_with_resource_roles.conf rbac_policy_with_resource_roles.csv
RBAC with domains/tenants rbac_model_with_domains.conf rbac_policy_with_domains.csv
ABAC abac_model.conf N/A
RESTful keymatch_model.conf keymatch_policy.csv
Deny-override rbac_model_with_deny.conf rbac_policy_with_deny.csv
Priority priority_model.conf priority_policy.csv

Middlewares

Authz middlewares for web frameworks: https://casbin.org/docs/en/middlewares

Our adopters

https://casbin.org/docs/en/adopters

How to Contribute

Please read the contributing guide.

Contributors

This project exists thanks to all the people who contribute.

Backers

Thank you to all our backers! 🙏 [Become a backer]

Sponsors

Support this project by becoming a sponsor. Your logo will show up here with a link to your website. [Become a sponsor]

License

This project is licensed under the Apache 2.0 license.

Contact

If you have any issues or feature requests, please contact us. PR is welcomed.

Issues
  • When should i call BuildRoleLinks function

    When should i call BuildRoleLinks function

    My App has about 1 millions policies, 800k P policy and 200K G policy. Whenever I add new P policy and assign it to one role, should I call BuildRoleLinks function?

    enhancement help wanted 
    opened by UnderTreeTech 44
  • Added multiple add and remove policies API functions.

    Added multiple add and remove policies API functions.

    Usage of the following functions is as follows :

    rule1 := []interface{} {"jack", "data4", "read"}
    rule2 := []interface{} {"katy", "data4", "write"}
    rule3 := []interface{} {"leyo", "data4", "read"}
    rule4 := []interface{} {"ham", "data4", "write"}
    
    e.AddPolicies(rule1, rule2, rule3, rule4)
    
    e.RemovePolicies(rule1, rule2, rule3, rule4)
    
    

    Have also added tests for these functions, all the tests pass. Please let me know if any changes required, this is open to changes if required any.

    opened by divy9881 31
  • [QUESTION] what's the difference of `Enforcer` and `SyncedEnforcer` if by default we have locks in every struct with map?

    [QUESTION] what's the difference of `Enforcer` and `SyncedEnforcer` if by default we have locks in every struct with map?

    I'm confused while seeing Lock in every struct with `map. I'm wondering if it's correct and ncessary?

    It's not necessary for Enforcer because normal Enforcer is not thread-safe.

    For syncedEnforcer we can have multiple goroutines reading/writing, we already have a top-level mutex, why do we still need other mutex/lock?

    Any idea?

    bug 
    opened by GopherJ 29
  • suggestion: add YAML support for model

    suggestion: add YAML support for model

    YAML is a human friendly data serialization standard for all programming languages.

    It can help users to write and verify the model .

    How to help users to write and verify the model?

    We need to write the YAML schema then IDE can provides hints based upon YAML schema provided to helps user write schema efficiently.

    Please refer to https://dzone.com/articles/two-ways-configuration-documentation-with-springnb to write YAML schema then publish to https://github.com/SchemaStore/schemastore.

    enhancement 
    opened by nodece 27
  • Scaling ABAC Rules

    Scaling ABAC Rules

    I am looking to support ABAC for a CMS-type system, where there could be thousands to potentially even more ABAC rules. Writing one long matcher isn't feasible in this case, nor is having multiple enforcers. Is there any other workaround this?

    An ABAC policy for us is something like If user age is between 24 and 64, then they can "view" some "resource". Any thoughts?

    Also, if this isn't supported, yet, what's the roadmap for something like this?

    enhancement 
    opened by harsimranb 26
  • How to synchronize multiple Casbin enforcer instances running with a single pg Gorm adapter?

    How to synchronize multiple Casbin enforcer instances running with a single pg Gorm adapter?

    I'm using Casbin library with pg Gorm adapter in one of my services. I wonder how I can keep Casbin enforcers synched if I'm running multiple instances of that services? Since Casbin policies are loaded once at startup and stored in memory, if one of the instances updates policies later, other enforcers wouldn't be notified. I looked at Casbin server but not sure if that would be helpful in this case, if so how I can achieve the synchronization by using Casbin server? or what are the other options?

    enhancement 
    opened by rrasulzade 25
  • fix: prevent concurrent map writes in LoadPolicyLine function

    fix: prevent concurrent map writes in LoadPolicyLine function

    I managed to create an environment in which the LoadPolicyLine function regularly causes concurrent map writes panics. Added a global sync.Mutex object that is used exclusively within the LoadPolicyLine function. Have not encountered any locks or concurrent map writes since this addition.

    fatal error: concurrent map writes
    
    goroutine 2247 [running]:
    runtime.throw(0xdd5620, 0x15)
            /usr/local/go/src/runtime/panic.go:1116 +0x72 fp=0xc000175278 sp=0xc000175248 pc=0x43d8d2
    runtime.mapassign_faststr(0xcfd340, 0xc0001db200, 0xc0004d7fa0, 0x19, 0xc0002d1818)
            /usr/local/go/src/runtime/map_faststr.go:291 +0x3d8 fp=0xc0001752e0 sp=0xc000175278 pc=0x41be78
    github.com/casbin/casbin/v2/persist.LoadPolicyLine(0xc0004d7f20, 0x1e, 0xc0002a9ce0)
            /home/example/go/pkg/mod/github.com/casbin/casbin/[email protected]/persist/adapter.go:43 +0x547 fp=0xc000175470 sp=0xc0001752e0 pc=0x9fbcc7
    
    opened by jamesjmurtagh 24
  • I want to combine RBAC and ABAC. I read a lot of documentation and I have a few questions.

    I want to combine RBAC and ABAC. I read a lot of documentation and I have a few questions.

    Hello everyone. I wanna choose casbin for manage authorization. I read a lot of documentation and I have a few questions.

    I want to combine RBAC and ABAC. With RBAC I want to control the general access to the API. With ABAC, I want to control access to certain entities (records in database). For example, I have the entity of orders and the entity of the company. Should I create three enforcers? The first one will be with the RBAC model. The second with the ABAC model to control the entity of orders. The third with the ABAC model to control the entity of companies. Right? (each entity has its own set of fields).

    The procedure will be as follows (request to API):

    Run the RBAC enforcer to determine if the user has access to the entity. Run the ABAC enforcer for a specific entity (orders or companies). In the case of ABAC, should I first select an entity from the database and pass it to the enforcer? What if the user requests a list of orders (pagination = 1000)? How to handle this? For example, I can’t pass 1000 entities to an enforcer (my idea is that there should be a common API point, which, depending on the rule, gives only those records that satisfy the condition of the model matcher)? P.S. Sorry for my english. Thanks.

    question 
    opened by MatthewPattell 24
  • How to solve the huge data when I use persistent Database?

    How to solve the huge data when I use persistent Database?

    Hi hsluoyz,

    I use casbin gorm_adapter to store policies and roles in database, when I run the program, all policies will be load into memory. But if there are millions policies, I can not do this. How to solve the huge policy data? Can I check only one policy from database?

    Cheers Gordon

    document 
    opened by CHCP 24
  • Fix:  adding policy to adapter before trying to add into model

    Fix: adding policy to adapter before trying to add into model

    Recently I'm having issue with the following code in internal_api.go

    func (e *Enforcer) addPolicy(sec string, ptype string, rule []string) (bool, error) {
    	ruleAdded := e.model.AddPolicy(sec, ptype, rule)
    	if !ruleAdded {
    		return ruleAdded, nil
    	}
    
    	if e.adapter != nil && e.autoSave {
    		if err := e.adapter.AddPolicy(sec, ptype, rule); err != nil {
    			if err.Error() != notImplemented {
    				return ruleAdded, err
    			}
    		}
    	}
    
    	if e.watcher !=nil && e.autoNotifyWatcher {
    		err := e.watcher.Update()
    		if err != nil {
    			return ruleAdded, err
    		}
    	}
    
    	return ruleAdded, nil
    }
    

    It seems logic, but it may cause bugs while having network or io issues. For example it fails to add policy into adapter for some reason but it succeeds to add policy into model. Then it return an error to say that we don't succeed to add policy but actually we already added policies into model and it will influence the enforce result.

    To solve this, shall we add policy into adapter first? I mean when auto save has been enabled.

    help wanted question released 
    opened by GopherJ 22
  • feat: pass all policies on effector interface

    feat: pass all policies on effector interface

    opened by phoenixsqf 1
  • Role Manager performance / scaling issue

    Role Manager performance / scaling issue

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    Is your feature request related to a problem? Please describe.

    Using the standard RBAC model:

    [request_definition]
    r = sub, obj, act
    
    [policy_definition]
    p = sub, obj, act
    
    [role_definition]
    g = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow))
    
    [matchers]
    m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act
    

    The (*RoleManager).HasLink function is called N time, where N is the the number of unique subjects found in the policies. While this may work ok if the relationships are stored in memory, it just doesn't scale at all if the relationships are stored in an external datastore.

    Examples with a model containing 100 unique subjects that all have at least one policy:

    • our custom RoleManager that stores relationship in PostgreSQL would make 99 SQL queries (one per (*RoleManager).HasLink function call) for each (*Enforcer).Enforce call.
    • the https://github.com/casbin/okta-role-manager would make 99 Okta API calls (one per (*RoleManager).HasLink function call) for each (*Enforcer).Enforce call.
    • the https://github.com/casbin/auth0-role-manager would make 99 Auth0 API calls (one per (*RoleManager).HasLink function call) for each (*Enforcer).Enforce call.
    • etc...

    As you can see with the examples above, this cannot really scale past a few unique subjects and I'm surprised that this issue hasn't been raised before.

    Describe the solution you'd like Ideally, when enforcing a policy, instead of calling (*RoleManager).HasLink for each unique subjects, the (*RoleManager).GetRoles function should be called to get all the relations of a subject in one shot.

    enhancement 
    opened by dahu33 2
  • [Question] What's the best way to limit/filter roles by resource? ABAC?

    [Question] What's the best way to limit/filter roles by resource? ABAC?

    What's your scenario? What do you want to achieve? I've read through all the docs and I'm having a hard time conceptualizing how to set up roles that are filtered based on a resource ID -- for example, a user creates a room and becomes a "host" of the room -- but only the room that user has created. The concept of "host" is only really a role in the context that it's a relationship between a User and a Room -- it doesn't apply to all Rooms. I'm muddled between using keymatch, ABAC, and how everything interacts with the Enforcer() and my database.

    Say I have these API endpoints:

    POST /rooms
    GET /rooms/:id
    POST /rooms/:id/open
    POST /rooms/:id/close
    

    and say i have two "roles" that are specific to a room

    host      # user-room relationship
    attendee  # user-room relationship
    

    For the purposes of the example, I want to express these access rules:

    • A user can POST to /rooms to create a new room and become the host of that room
    • A host can POST to /rooms/:id/open and /rooms/:id/closed, but only for the specific rooms they are the host for
    • An attendee can GET /rooms/:id, but only for the specific rooms they are attendees for

    Assume for this example that user alice is a host of rooms 1 and 2, and bob is an attendee of room 2.

    From what I've read, I don't think I should create a separate policy for each resource, e.g.

    p, alice, /rooms/1, POST
    p, alice, /rooms/1/open, POST
    p, alice, /rooms/1/close, POST   
    p, alice, /rooms/2, POST
    p, alice, /rooms/2/open, POST
    p, alice, /rooms/2/close, POST
    p, bob, /rooms/2, GET
    

    So, would I express the fact that alice is a host for rooms 1 & 2 using a db-stored policy somehow?

    p, host, /rooms/:id/open, POST
    p, host, /rooms/:id/close, POST
    p, attendee, /rooms/:id, GET
    
    g, alice, host, /rooms/1  # <-- somehow express that alice is the host of room with id 1, not all rooms
    g, alice, host, /rooms/2
    g, bob, attendee, /rooms/2
    

    Or would I try and match up the ID in the policy (I think i'm not understanding this)?

    p, r.sub.id == r.obj.id, /rooms/:id/open, POST 
    p, r.sub.id == r.obj.id, /rooms/:id/close, POST
    

    Or would I use a custom function in my policy somehow and express the host relationship as a lookup on a join table between User and Room?

    p, isHost(userID, roomID), /rooms/:id/open, POST
    p, isHost(userID, roomID), /rooms/:id/close, POST
    
    question 
    opened by awmcclain 9
  • [Feature] Union the effect of different roles

    [Feature] Union the effect of different roles

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    Is your feature request related to a problem? Please describe. I cannot find the available built-in policy effects when a user has more then one roles with "deny override" policy

    Your model:

    [request_definition]
    r = sub, obj, act
    
    [policy_definition]
    p = sub, obj, act, eft
    
    [role_definition]
    g = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
    
    [matchers]
    m = g(r.sub, p.sub) && r.obj == p.obj && keyMatch(r.act, p.act)
    

    Your policy:

    p, writer, data1, write, allow
    p, reader, data1, *, allow
    p, reader, data1, write, deny
    
    g, alice, writer
    g, alice, reader
    g, bob, reader
    

    Your request(s):

    alice, data1, write ---> false (expected: true)
    bob, data1, write ---> false (expected: false)
    

    As the example above, user alice has both of writer and reader role. The usually expected result is: alice is allowed to write data1

    Describe alternatives you've considered Add two arguments to the function MergeEffects in Effector interface, one is the rmMap and the other one contains the matches information like this:

    {
        effector.Allow: {
           subSet: { "writer", "reader" }
        },
        effector.Deny: {
           subSet: { "reader" }
        },
        effector.Indeterminate: {
           subSet: { }
        }
    }
    

    Then, I will be able to implement the MergeEffects by myself.

    enhancement question 
    opened by GYWang1983 11
  • feat: add cross domain support

    feat: add cross domain support

    opened by tangyang9464 0
  • [Question] Hierarchical domains with (hierarchical) roles

    [Question] Hierarchical domains with (hierarchical) roles

    What's your scenario? What do you want to achieve?

    Pretty much a follow-up from https://github.com/casbin/casbin/issues/718#issuecomment-889785940

    So, do you think this problem is solvable by Casbin? I think this is pretty typical use case of hierarchical RBAC where you do not want to define global role hierarchy into each domain.

    General idea would be pretty similar to the original question:

    • global domain
      • subdomain1
        • lowersubdomain1
      • subdomain2
    1. So if alice is an admin in global domain, she should be an admin in all domains below it (subdomain1, lowersubdomain1, subdomain2).
      1. This should happen without any additional policy lines. g, alice, admin, global domain should be sufficient
      2. Defining what permissions admin has in each domain is still required.
    2. If bob is an admin in subdomain1, he should have admin access to lowersubdomain1
      1. But no access to any other domain

    Your model:

    [request_definition]
    r = sub, dom, obj, act
    
    [policy_definition]
    p = sub, dom, obj, act
    
    [role_definition]
    g = _, _, _
    g2 = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow))
    
    [matchers]
    m = g(r.sub, p.sub, r.dom) && g2(r.dom, p.dom) && regexMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
    

    Your policy:

    p, admin, global_domain, data1, (read|write)
    p, admin, sub_domain, data2, (read|write)
    
    g, alice, admin, global_domain
    g, bob, admin, sub_domain
    g2, sub_domain, global_domain
    

    Your request(s):

    alice, global_domain, data1, read --> true, correct
    alice, sub_domain, data2, read --> false, incorrect
    bob, sub_domain, data2, read --> true, correct
    
    question 
    opened by Sefriol 3
  • Is there a way to use RBAC with multiple domains?

    Is there a way to use RBAC with multiple domains?

    What's your scenario? What do you want to achieve?

    Is there a way to define not one but multiple domains for the RBAC with domains model? I managed to use either a wildcard or a single domain, but I did not manage to get a multi-domain model set up properly.

    [request_definition]
    r = sub, dom, obj, act
    
    [policy_definition]
    p = sub, obj, act
    
    [role_definition]
    g = _, _, _
    
    [policy_effect]
    e = some(where (p.eft == allow))
    
    [matchers]
    m = (g(r.sub, p.sub, "*") && r.obj == p.obj && r.act == p.act) \
      || (g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act)
    
    p, alice, data1, read
    p, bob, data2, write
    p, data2_admin, data2, read
    p, data2_admin, data2, write
    
    g, alice, data2_admin
    
    p, super, entity, create
    p, super, entity, read
    p, super, entity, update
    p, super, entity, delete
    
    g, user_wildcard, data, *
    g, user_tenant_1, data, 6ec54488-05ac-11ec-8671-9cb6d0dc265f
    g, user_tenant_2, data, 7b5aa454-05ac-11ec-8671-9cb6d0dc265f
    g, user_both_tenants, data, 6ec54488-05ac-11ec-8671-9cb6d0dc265f
    g, user_both_tenants, data, 7b5aa454-05ac-11ec-8671-9cb6d0dc265f
    
    

    user_wildcard is allowed to access all domains. user_tenant_1 and user_tenant_2 can access their corresponding tenant. But user_both_tenants is not allowed for both tenants.

    I assume I have to change my model, instead of my policy?

    Thanks for an answer.

    enhancement question 
    opened by resingm 4
  • [Question] Policy Group

    [Question] Policy Group

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    What's your scenario? What do you want to achieve? Is there a config or a way to use multi-policy like methods?

    Your model:

    [request_definition]
    r = sub, obj, act
    
    [policy_definition]
    p = sub, obj, act, eft
    
    [role_definition]
    g = _, _
    
    [policy_effect]
    e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
    
    [matchers]
    m = g(r.sub, p.sub) && keyMatch2(r.obj, p.obj) && regexMatch(r.act, p.act)
    

    Your policy:

    p, alice1, /alice_data, (GET)|(POST), allow
    p, alice2, /alice_data/:id, (GET)|(PUT)|(DELETE), allow
    p, bob1, /bob_data, (GET)|(POST), allow
    p, bob2, /bob_data/:id, (GET)|(PUT)|(DELETE), allow
    
    g, alice, (alice1)|(alice2)
    g, other, bob1
    

    Your request(s):

    alice, /alice_data, GET ---> false (expected: true)
    other, /bob_data, POST ---> true (ok)
    
    question 
    opened by itgelo 22
  • [Question] What is the best model for policy Inheritance

    [Question] What is the best model for policy Inheritance

    Want to prioritize this issue? Try:

    issuehunt-to-marktext


    What's your scenario? What do you want to achieve? We are trying to build an authorization system for an SaaS platform. On that platform, there will be hierarchy organizational structure which is looks like this

    image or can be this image

    The Admin of parent org can have the same policy on the children organization data.

    I have tried to follow some examples in this https://github.com/casbin/casbin/issues/99 But it seems having an issue regarding policy inheritance. There are so many unnecessary policy need to be created. So do you guys have any suggestion for such business model? Thank you so much.

    question 
    opened by nguyenpc 2
Releases(v2.37.4)
Owner
Casbin
Casbin authorization library and the official middlewares
Casbin
A rest application to update firewalld rules on a linux server

Firewalld-rest A REST application to dynamically update firewalld rules on a linux server. Firewalld is a firewall management tool for Linux operating

Prashant Gupta 310 Sep 23, 2021
A tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index

Nancy nancy is a tool to check for vulnerabilities in your Golang dependencies, powered by Sonatype OSS Index, and as well, works with Nexus IQ Server

Sonatype Community 328 Oct 21, 2021
High-Performance Shortlink ( Short URL ) app creator in Golang. For privacy reasons, you may prefer to host your own short URL app and this is the one to use.

About The Project Shortlink App in Golang Multiple Node based Architecture to create and scale at ease Highly performant key-value storage system Cent

null 116 Oct 12, 2021
:lock: acmetool, an automatic certificate acquisition tool for ACME (Let's Encrypt)

acmetool is an easy-to-use command line tool for automatically acquiring certificates from ACME servers (such as Let's Encrypt). Designed to flexibly

Hugo Landau 1.9k Oct 20, 2021
Automatic HTTPS for any Go program: fully-managed TLS certificate issuance and renewal

Easy and Powerful TLS Automation The same library used by the Caddy Web Server Caddy's automagic TLS features—now for your own Go programs—in one powe

Caddy 3.8k Oct 21, 2021
âś’ A self-hosted, cross-platform service to sign iOS apps using any CI as a builder

iOS Signer Service A self-hosted, cross-platform service to sign iOS apps using any CI as a builder Introduction There are many reasons to install app

null 482 Oct 17, 2021
Build Go applications for IOS

go-build-for-ios Build Go applications for IOS This repository contains a PoC that lets you build any Go application for IOS platform. Cross-compilati

Marcin Tojek 19 Mar 1, 2021
Cameradar hacks its way into RTSP videosurveillance cameras

Cameradar An RTSP stream access tool that comes with its library Cameradar allows you to Detect open RTSP hosts on any accessible target host Detect w

Brendan Le Glaunec 2.7k Oct 24, 2021
A tool for secrets management, encryption as a service, and privileged access management

Vault Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please respo

HashiCorp 22k Oct 18, 2021
Ah shhgit! Find secrets in your code. Secrets detection for your GitHub, GitLab and Bitbucket repositories: www.shhgit.com

shhgit helps secure forward-thinking development, operations, and security teams by finding secrets across their code before it leads to a security br

Paul 3.3k Oct 25, 2021
Easy to use cryptographic framework for data protection: secure messaging with forward secrecy and secure data storage. Has unified APIs across 14 platforms.

Themis provides strong, usable cryptography for busy people General purpose cryptographic library for storage and messaging for iOS (Swift, Obj-C), An

Cossack Labs 1.4k Oct 22, 2021
Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices

Vuls: VULnerability Scanner Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go. We have a slack team. Join slack team Twitter: @vuls_e

Future Corp 8.7k Oct 16, 2021
DockerSlim (docker-slim): Don't change anything in your Docker container image and minify it by up to 30x (and for compiled languages even more) making it secure too! (free and open source)

Minify and Secure Docker containers (free and open source!) Don't change anything in your Docker container image and minify it by up to 30x making it

docker-slim 10.9k Oct 24, 2021
Cossack Labs 807 Oct 15, 2021
Convenience of containers, security of virtual machines

Convenience of containers, security of virtual machines With firebuild, you can build and deploy secure VMs directly from Dockerfiles and Docker image

null 32 Oct 19, 2021
PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. You can use PHP like functions in your app, module etc. when you add this module to your project.

PHP Functions for Golang - phpfuncs PHP functions implementation to Golang. This package is for the Go beginners who have developed PHP code before. Y

Serkan Algur 42 Aug 19, 2021
Fast web fuzzer written in Go

/'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \

null 5.4k Oct 16, 2021
Scan and analyze OSS dependencies and licenses from compiled Go binaries

golicense - Go Binary OSS License Scanner golicense is a tool that scans compiled Go binaries and can output all the dependencies, their versions, and

Mitchell Hashimoto 605 Oct 14, 2021
Not Yet Another Password Manager written in Go using libsodium

secrets Secure and simple passwords manager written in Go. It aims to be NYAPM (Not Yet Another Password Manager), but tries to be different from othe

Jarmo Pertman 25 Oct 9, 2021