In my DDD application written in javascript (Node.js), I come across an implementation of a common authorization subdomain. I checked on RBAC / ACL authorization models how to implement this, but they don't seem to have the permissions for each instance that I need.
From what I understand, RBAC has role-based credentials. Roles are assigned to users. Roles are hierarchical and inherit permissions. Roles can have several permissions. Permissions allow you to execute commands on resources.
But, as defined by RBAC, resources are general in nature, such as Messages, Comment, Book, etc. They are instance independent (e.g. Post (id: 9283984)). For example, in RBAC it is impossible to determine that only the user who created the message can edit it. It seems impossible to assign the "Admin" role to "User (id: (8290321)" in the given "Post (id: 2398493)"
It is even more difficult to identify roles that have permissions to execute commands that change the roles of other people on a particular resource.
My application requirements:
UserThe one that issued the command CreateLedgeris automatically assigned like Adminthis Ledger. He may appoint other people just like Managersor Collaboratorsor Viewersfor Ledger, which he has Adminof. He can also cancel these roles. Managersallowed to drive Accounts Ledger. Collaboratorsallowed to edit Transactionson this Ledger, and Viewers- only view data (read only). Adminmay assign a role Adminto the books he has Adminfor another User.
My initial idea was that in order for a user to be able to manage user roles on a resource, there had to be a mapping between
user(id:X) -> role(name:Z) -> permissions -> resource(id:Y) -> commands
but in RBAC you can assign
user(id:X) -> role(name:Z) -> permissions -> resource(name:"Ledger") -> commands
Then, to overcome this RBAC limitation, I thought about naming resources with their identifiers like
user(id:X) -> role(name:Z) -> permissions -> resource(name:"Ledger:39823847") -> commands
. RBAC, , .
? ? - , ? ? , - .