diff --git a/docs/RBACWithConditions.mdx b/docs/RBACWithConditions.mdx index 85945a7a..1a5403f7 100644 --- a/docs/RBACWithConditions.mdx +++ b/docs/RBACWithConditions.mdx @@ -8,9 +8,9 @@ authors: [PokIsemaine] ## Conditional RoleManager -`ConditionalRoleManager` supports custom condition functions at the policy level. +The `ConditionalRoleManager` allows you to apply custom condition functions at the policy level. -For example, when we need a temporary role policy, we can follow the following approach: +When you need role policies that are valid only under certain conditions—such as time-based temporary roles—you can configure this as shown below: `model.conf` @@ -31,8 +31,7 @@ e = some(where (p.eft == allow)) m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act ``` -`g = _, _, (_, _)` uses `(_, _)` to contain a list of arguments to pass to the condition function -and `_` as a parameter placeholder +The syntax `g = _, _, (_, _)` defines a role relationship with additional parameters. The underscores `_` serve as placeholders, while the parentheses `(_, _)` specify the list of arguments that will be passed to the condition function. `policy.csv` @@ -57,10 +56,7 @@ g, alice, data8_admin, 9999-12-30 00:00:00, _ ### Basic Usage -Add a conditional function for the role policy(`g`type policy) through `AddNamedLinkConditionFunc`, -and when enforcing is executed, the corresponding parameters will be automatically obtained -and passed in the conditional function for checking. -If the check passes, then the corresponding role policy(`g` type policy) is valid, otherwise it is invalid +Use `AddNamedLinkConditionFunc` to attach a condition function to a role policy (of type `g`). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true. ```go e.AddNamedLinkConditionFunc("g", "alice", "data2_admin", util.TimeMatchFunc) @@ -72,25 +68,25 @@ e.AddNamedLinkConditionFunc("g", "alice", "data7_admin", util.TimeMatchFunc) e.AddNamedLinkConditionFunc("g", "alice", "data8_admin", util.TimeMatchFunc) -e.enforce("alice", "data1", "read") // except: true -e.enforce("alice", "data2", "write") // except: false -e.enforce("alice", "data3", "read") // except: true -e.enforce("alice", "data4", "write") // except: true -e.enforce("alice", "data5", "read") // except: true -e.enforce("alice", "data6", "write") // except: false -e.enforce("alice", "data7", "read") // except: true -e.enforce("alice", "data8", "write") // except: false +e.enforce("alice", "data1", "read") // expect: true +e.enforce("alice", "data2", "write") // expect: false +e.enforce("alice", "data3", "read") // expect: true +e.enforce("alice", "data4", "write") // expect: true +e.enforce("alice", "data5", "read") // expect: true +e.enforce("alice", "data6", "write") // expect: false +e.enforce("alice", "data7", "read") // expect: true +e.enforce("alice", "data8", "write") // expect: false ``` ### Custom condition functions -Custom conditional functions need to conform to the following function types +Condition functions must follow this signature: ```go type LinkConditionFunc = func(args ...string) (bool, error) ``` -for example: +Example implementation: ```go // TimeMatchFunc is the wrapper for TimeMatch. @@ -169,10 +165,7 @@ g, alice, data8_admin, domain8, 9999-12-30 00:00:00, _ ### Basic Usage -Add a conditional function for the role policy(`g`type policy) through `AddNamedDomainLinkConditionFunc`, -and when enforcing is executed, the corresponding parameters will be automatically obtained -and passed in the conditional function for checking. -If the check passes, then the corresponding role policy(`g` type policy) is valid, otherwise it is invalid +Use `AddNamedDomainLinkConditionFunc` to attach a condition function to a domain-specific role policy (of type `g`). During enforcement, the system automatically retrieves the corresponding parameters and passes them to the condition function. The role policy is considered valid only if the function returns true. ```go e.AddNamedDomainLinkConditionFunc("g", "alice", "data2_admin", "domain2", util.TimeMatchFunc) @@ -184,28 +177,28 @@ e.AddNamedDomainLinkConditionFunc("g", "alice", "data7_admin", "domain7", util.T e.AddNamedDomainLinkConditionFunc("g", "alice", "data8_admin", "domain8", util.TimeMatchFunc) -e.enforce("alice", "domain1", "data1", "read") // except: true -e.enforce("alice", "domain2", "data2", "write") // except: false -e.enforce("alice", "domain3", "data3", "read") // except: true -e.enforce("alice", "domain4", "data4", "write") // except: true -e.enforce("alice", "domain5", "data5", "read") // except: true -e.enforce("alice", "domain6", "data6", "write") // except: false -e.enforce("alice", "domain7", "data7", "read") // except: true -e.enforce("alice", "domain8", "data8", "write") // except: false -e.enforce("alice", "domain_not_exist", "data1", "write") // except: false -e.enforce("alice", "domain_not_exist", "data2", "read") // except: false -e.enforce("alice", "domain_not_exist", "data3", "write") // except: false -e.enforce("alice", "domain_not_exist", "data4", "read") // except: false -e.enforce("alice", "domain_not_exist", "data5", "write") // except: false -e.enforce("alice", "domain_not_exist", "data6", "read") // except: false -e.enforce("alice", "domain_not_exist", "data7", "write") // except: false -e.enforce("alice", "domain_not_exist", "data8", "read") // except: false +e.enforce("alice", "domain1", "data1", "read") // expect: true +e.enforce("alice", "domain2", "data2", "write") // expect: false +e.enforce("alice", "domain3", "data3", "read") // expect: true +e.enforce("alice", "domain4", "data4", "write") // expect: true +e.enforce("alice", "domain5", "data5", "read") // expect: true +e.enforce("alice", "domain6", "data6", "write") // expect: false +e.enforce("alice", "domain7", "data7", "read") // expect: true +e.enforce("alice", "domain8", "data8", "write") // expect: false +e.enforce("alice", "domain_not_exist", "data1", "write") // expect: false +e.enforce("alice", "domain_not_exist", "data2", "read") // expect: false +e.enforce("alice", "domain_not_exist", "data3", "write") // expect: false +e.enforce("alice", "domain_not_exist", "data4", "read") // expect: false +e.enforce("alice", "domain_not_exist", "data5", "write") // expect: false +e.enforce("alice", "domain_not_exist", "data6", "read") // expect: false +e.enforce("alice", "domain_not_exist", "data7", "write") // expect: false +e.enforce("alice", "domain_not_exist", "data8", "read") // expect: false ``` ### Custom condition functions -Like the basic `Conditional RoleManager`, custom functions are supported, and there is no difference in use. +Custom condition functions work the same way as in the basic `Conditional RoleManager`. -Note that `DomainMatchingFunc`, `MatchingFunc`, and `LinkConditionFunc` are at different levels and are used in different situations. +Keep in mind that `DomainMatchingFunc`, `MatchingFunc`, and `LinkConditionFunc` operate at different levels and serve distinct purposes. ![conditional_rolemanager_with_domains](/img/rbac/conditional_rolemanager_with_domains.png) diff --git a/docs/RBACWithConditionsAPI.mdx b/docs/RBACWithConditionsAPI.mdx index edc0bfeb..74d710f9 100644 --- a/docs/RBACWithConditionsAPI.mdx +++ b/docs/RBACWithConditionsAPI.mdx @@ -6,14 +6,13 @@ keywords: [RBAC with conditions, API] authors: [PokIsemaine] --- -A more user-friendly API for [RBAC with conditions](RBACWithConditions.mdx). +This API provides a simplified interface for working with [RBAC with conditions](RBACWithConditions.mdx). ## Reference ### AddNamedLinkConditionFunc -`AddNamedLinkConditionFunc` Add condition function fn for Link `userName->roleName`, -when fn returns true, Link is valid, otherwise invalid +`AddNamedLinkConditionFunc` attaches a condition function to a link between `userName` and `roleName`. The link is valid only when the function returns true. ```mdx-code-block @@ -31,8 +30,7 @@ e.AddNamedLinkConditionFunc("g", "userName", "roleName", YourLinkConditionFunc) ### AddNamedDomainLinkConditionFunc -`AddNamedDomainLinkConditionFunc` Add condition function fn for Link `userName-> {roleName, domain}`, -when fn returns true, Link is valid, otherwise invalid +`AddNamedDomainLinkConditionFunc` attaches a condition function to a link between `userName` and `{roleName, domain}`. The link is valid only when the function returns true. ```mdx-code-block @@ -50,7 +48,7 @@ e.AddNamedDomainLinkConditionFunc("g", "userName", "roleName", "domainName", You ### SetNamedLinkConditionFuncParams -`SetNamedLinkConditionFuncParams` Sets the parameters of the condition function fn for Link `userName->roleName` +`SetNamedLinkConditionFuncParams` configures the parameters passed to the condition function for a link between `userName` and `roleName`. ```mdx-code-block @@ -69,8 +67,7 @@ e.SetNamedLinkConditionFuncParams("g", "userName2", "roleName2", "YourConditionF ### SetNamedDomainLinkConditionFuncParams -`SetNamedDomainLinkConditionFuncParams` Sets the parameters of the condition function fn -for Link `userName->{roleName, domain}` +`SetNamedDomainLinkConditionFuncParams` configures the parameters passed to the condition function for a link between `userName` and `{roleName, domain}`. ```mdx-code-block diff --git a/docs/RBACWithDomains.mdx b/docs/RBACWithDomains.mdx index 35ca363b..07d040bb 100644 --- a/docs/RBACWithDomains.mdx +++ b/docs/RBACWithDomains.mdx @@ -8,16 +8,16 @@ authors: [hsluoyz] ## Role Definition with Domain Tenants -The RBAC roles in Casbin can be global or domain-specific. Domain-specific roles mean that the roles for a user can be different when the user is in different domains/tenants. This is very useful for large systems like a cloud, as users are usually in different tenants. +In Casbin, RBAC roles can be either global or domain-specific. Domain-specific roles allow a user to hold different roles across different domains or tenants. This capability is particularly valuable in large-scale systems such as cloud platforms, where users frequently operate within multiple distinct tenants. -The role definition with domains/tenants should look like this: +The role definition for domains or tenants should be structured as follows: ```ini [role_definition] g = _, _, _ ``` -The third `_` represents the name of the domain/tenant, and this part should not be changed. Then the policy can be: +The third underscore `_` denotes the domain or tenant name and must remain unchanged. With this setup, policies can be written like this: ```csv p, admin, tenant1, data1, read @@ -27,31 +27,30 @@ g, alice, admin, tenant1 g, alice, user, tenant2 ``` -This means that the `admin` role in `tenant1` can read `data1`. And `alice` has the `admin` role in `tenant1` and the `user` role in `tenant2`. Therefore, she can read `data1`. However, since `alice` is not an `admin` in `tenant2`, she cannot read `data2`. +This configuration means that the `admin` role in `tenant1` has read access to `data1`. Alice holds the `admin` role in `tenant1` and the `user` role in `tenant2`, so she can read `data1`. However, because Alice is not an `admin` in `tenant2`, she cannot read `data2`. -Then, in a matcher, you should check the role as follows: +In your matcher, verify the role as follows: ```ini [matchers] m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act ``` -Please refer to the [rbac_with_domains_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_model.conf) for examples. +For additional examples, refer to [rbac_with_domains_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_model.conf). :::info Token Name Convention -Note: Conventionally, the domain token name in policy definition is `dom` and is placed as the second token (`sub, dom, obj, act`). -Now, Golang Casbin supports customized token names and placement. If the domain token name is `dom`, the domain token can be placed at an arbitrary position without any additional action. If the domain token name is not `dom`, `e.SetFieldIndex()` for `constant.DomainIndex` should be called after the enforcer is initialized, regardless of its position. +By convention, the domain token in policy definitions is named `dom` and is typically positioned as the second token (e.g., `sub, dom, obj, act`). Golang Casbin now supports custom token names and positions. If the domain token is named `dom`, it can be placed anywhere without extra configuration. For other names, call `e.SetFieldIndex()` with `constant.DomainIndex` after initializing the enforcer, regardless of token position. ```ini -# `domain` here for `dom` +# Using `domain` instead of `dom` [policy_definition] p = sub, obj, act, domain ``` ```go e.SetFieldIndex("p", constant.DomainIndex, 3) // index starts from 0 -users := e.GetAllUsersByDomain("domain1") // without SetFieldIndex, it will raise an error +users := e.GetAllUsersByDomain("domain1") // without SetFieldIndex, this will raise an error ``` ::: diff --git a/docs/RBACWithDomainsAPI.mdx b/docs/RBACWithDomainsAPI.mdx index efb819ed..c6c41a0e 100644 --- a/docs/RBACWithDomainsAPI.mdx +++ b/docs/RBACWithDomainsAPI.mdx @@ -6,7 +6,7 @@ keywords: [RBAC with domains, API] authors: [hsluoyz] --- -A more user-friendly API for RBAC with domains. This API is a subset of the Management API. RBAC users can use this API to simplify their code. +This simplified API is designed for RBAC with domains. It is a subset of the Management API, making it easier for RBAC users to work with domain-based policies. ## Reference @@ -82,7 +82,7 @@ Enforcer e = new Enforcer("examples/rbac_with_domains_model.conf", "examples/rba ### `GetUsersForRoleInDomain()` -The `GetUsersForRoleInDomain()` function retrieves the users that have a role within a domain. +`GetUsersForRoleInDomain()` retrieves all users assigned to a specific role within a domain. For example: @@ -120,7 +120,7 @@ res = e.get_users_for_role_in_domain("admin", "domain1") ### `GetRolesForUserInDomain()` -The `GetRolesForUserInDomain()` function retrieves the roles that a user has within a domain. +`GetRolesForUserInDomain()` retrieves all roles assigned to a user within a domain. For example: @@ -167,7 +167,7 @@ List res = e.getRolesForUserInDomain("admin", "domain1"); ### `GetPermissionsForUserInDomain()` -The `GetPermissionsForUserInDomain()` function retrieves the permissions for a user or role within a domain. +`GetPermissionsForUserInDomain()` retrieves all permissions for a user or role within a domain. For example: @@ -196,7 +196,7 @@ List> res = e.getPermissionsForUserInDomain("alice", "domain1"); ### `AddRoleForUserInDomain()` -The `AddRoleForUserInDomain()` function adds a role for a user within a domain. It returns `false` if the user already has the role (no changes made). +`AddRoleForUserInDomain()` assigns a role to a user within a domain. Returns `false` if the user already has the role (no changes made). For example: @@ -234,7 +234,7 @@ boolean ok = e.addRoleForUserInDomain("alice", "admin", "domain1"); ### `DeleteRoleForUserInDomain()` -The `DeleteRoleForUserInDomain()` function removes a role for a user within a domain. It returns `false` if the user does not have the role (no changes made). +`DeleteRoleForUserInDomain()` removes a role from a user within a domain. Returns `false` if the user does not have the role (no changes made). For example: @@ -263,7 +263,7 @@ boolean ok = e.deleteRoleForUserInDomain("alice", "admin", "domain1"); ### `DeleteRolesForUserInDomain()` -The `DeleteRolesForUserInDomain()` function removes all roles for a user within a domain. It returns `false` if the user does not have any roles (no changes made). +`DeleteRolesForUserInDomain()` removes all roles from a user within a domain. Returns `false` if the user has no roles (no changes made). For example: @@ -283,7 +283,7 @@ ok, err := e.DeleteRolesForUserInDomain("alice", "domain1") ### `GetAllUsersByDomain()` -The `GetAllUsersByDomain()` function retrieves all users associated with the given domain. It returns an empty string array if no domain is defined in the model. +`GetAllUsersByDomain()` retrieves all users associated with the specified domain. Returns an empty string array if no domain is defined in the model. For example: @@ -303,7 +303,7 @@ res := e.GetAllUsersByDomain("domain1") ### `DeleteAllUsersByDomain()` -The `DeleteAllUsersByDomain()` function deletes all users associated with the given domain. It returns `false` if no domain is defined in the model. +`DeleteAllUsersByDomain()` removes all users associated with the specified domain. Returns `false` if no domain is defined in the model. For example: @@ -323,8 +323,7 @@ ok, err := e.DeleteAllUsersByDomain("domain1") ### `DeleteDomains()` -DeleteDomains would delete all associated users and roles. -It would delete all domains if parameter is not provided. +`DeleteDomains()` removes all associated users and roles for the specified domains. If no parameters are provided, all domains are deleted. For example: @@ -344,7 +343,7 @@ ok, err := e.DeleteDomains("domain1", "domain2") ### `GetAllDomains()` -GetAllDomains would get all domains. +`GetAllDomains()` retrieves all domains. For example: @@ -364,13 +363,13 @@ res, _ := e.GetAllDomains() :::note -If you are handling a domain like ```name::domain```, it may lead to unexpected behavior. In Casbin, ```::``` is a reserved keyword, just like ```for```, ```if``` in a programming language, we should never put ```::``` in a domain. +When handling domain names that contain `::`, unexpected behavior may occur. In Casbin, `::` is a reserved keyword, similar to `for` or `if` in programming languages. Never use `::` within a domain name. ::: ### `GetAllRolesByDomain()` -GetAllRolesByDomain would get all roles associated with the domain. +`GetAllRolesByDomain()` retrieves all roles associated with the specified domain. For example: @@ -396,7 +395,7 @@ This method does not apply to domains that have an inheritance relationship, als ### `GetImplicitUsersForResourceByDomain()` -GetImplicitUsersForResourceByDomain return implicit user based on resource and domain. +`GetImplicitUsersForResourceByDomain()` returns implicit users based on resource and domain. For example: diff --git a/docs/RBACWithPattern.mdx b/docs/RBACWithPattern.mdx index 6ed0e423..7fa449c3 100644 --- a/docs/RBACWithPattern.mdx +++ b/docs/RBACWithPattern.mdx @@ -8,39 +8,39 @@ authors: [hsluoyz] ## Quick Start -- Use pattern in `g(_, _)`. +- Use pattern matching in `g(_, _)`: ```go e, _ := NewEnforcer("./example.conf", "./example.csv") e.AddNamedMatchingFunc("g", "KeyMatch2", util.KeyMatch2) ``` -- Use pattern with domain. +- Use pattern matching with domains: ```go e.AddNamedDomainMatchingFunc("g", "KeyMatch2", util.KeyMatch2) ``` -- Use all patterns. +- Use both patterns together: - Just combine the use of both APIs. + Simply combine both API calls. -As shown above, after you create the `enforcer` instance, you need to activate pattern matching via the `AddNamedMatchingFunc` and `AddNamedDomainMatchingFunc` APIs, which determine how the pattern matches. +After creating the `enforcer` instance, activate pattern matching using the `AddNamedMatchingFunc` and `AddNamedDomainMatchingFunc` APIs. These determine how the pattern matching is performed. :::note -If you use the online editor, You can add a pattern matching function by clicking the "Add Role Matching" button in the lower left corner. +If using the online editor, add a pattern matching function by clicking the "Add Role Matching" button in the lower left corner. ![editor-tips](/img/editor-tips.png) ::: ## Use pattern matching in RBAC -Sometimes, you want certain subjects, objects, or domains/tenants with a specific pattern to be automatically granted a role. Pattern matching functions in RBAC can help you do that. A pattern matching function shares the same parameters and return value as the previous [matcher function](/docs/syntax-for-models#functions-in-matchers). +Sometimes you want subjects, objects, or domains with a specific pattern to automatically inherit a role. Pattern matching functions in RBAC enable this behavior. These functions share the same parameters and return values as the [matcher functions](/docs/syntax-for-models#functions-in-matchers). -The pattern matching function supports each parameter of `g`. +Pattern matching functions work with each parameter of `g`. -We know that normally RBAC is expressed as `g(r.sub, p.sub)` in a matcher. Then we can use a policy like: +Normally, RBAC is expressed as `g(r.sub, p.sub)` in a matcher. You can then use policies like: ```csv p, alice, book_group, read @@ -48,15 +48,15 @@ g, /book/1, book_group g, /book/2, book_group ``` -So `alice` can read all books including `book 1` and `book 2`. But there can be thousands of books, and it's very tedious to add each book to the book role (or group) with one `g` policy rule. +In this case, `alice` can read all books, including `book 1` and `book 2`. However, with thousands of books, adding each one individually to the book role or group with a separate `g` policy becomes tedious. -But with pattern matching functions, you can write the policy with only one line: +With pattern matching functions, you can write the policy in a single line: ```csv g, /book/:id, book_group ``` -Casbin will automatically match `/book/1` and `/book/2` into the pattern `/book/:id` for you. You only need to register the function with the enforcer like: +Casbin automatically matches `/book/1` and `/book/2` to the pattern `/book/:id`. You just need to register the function with the enforcer: ```mdx-code-block @@ -81,7 +81,7 @@ await e.addNamedMatchingFunc('g', Util.keyMatch2Func); ``` -When using a pattern matching function in domains/tenants, you need to register the function with the enforcer and model. +When using pattern matching with domains, register the function with both the enforcer and the model: ```mdx-code-block @@ -106,11 +106,11 @@ await e.addNamedDomainMatchingFunc('g', Util.keyMatch2Func); ``` -If you don't understand what `g(r.sub, p.sub, r.dom)` means, please read [rbac-with-domains](/docs/rbac-with-domains). In short, `g(r.sub, p.sub, r.dom)` will check whether the user `r.sub` has a role `p.sub` in the domain `r.dom`. So this is how the matcher works. You can see the full example [here](https://github.com/casbin/casbin/blob/dbdb6cbe2e7a80863e4951f9ff36da07fef01b75/model_test.go#L278-L307). +If you're unclear about the meaning of `g(r.sub, p.sub, r.dom)`, refer to [rbac-with-domains](/docs/rbac-with-domains). In brief, `g(r.sub, p.sub, r.dom)` checks whether user `r.sub` has role `p.sub` in domain `r.dom`. For a complete example, see [here](https://github.com/casbin/casbin/blob/dbdb6cbe2e7a80863e4951f9ff36da07fef01b75/model_test.go#L278-L307). -Apart from the pattern matching syntax above, we can also use pure domain pattern. +You can also use pure domain patterns in addition to the pattern matching syntax shown above. -For example, if we want `sub` to have access in different domains, `domain1` and `domain2`, we can use the pure domain pattern: +For example, to grant `sub` access across different domains like `domain1` and `domain2`, use pure domain patterns: ```csv p, admin, domain1, data1, read @@ -122,6 +122,6 @@ g, alice, admin, * g, bob, admin, domain2 ``` -In this example, we want `alice` to read and write `data` in domain1 and domain2. Pattern matching `*` in `g` makes `alice` have access to two domains. +Here, `alice` can read and write `data` in both `domain1` and `domain2`. The wildcard `*` in `g` grants `alice` access across both domains. -By using pattern matching, especially in scenarios that are more complicated and have a lot of domains or objects to consider, we can implement the `policy_definition` in a more elegant and effective way. +Pattern matching is particularly useful in complex scenarios with many domains or objects, enabling more elegant and effective `policy_definition` implementations. diff --git a/docs/ReBAC.mdx b/docs/ReBAC.mdx index 1567914d..510e6ab5 100644 --- a/docs/ReBAC.mdx +++ b/docs/ReBAC.mdx @@ -7,27 +7,27 @@ authors: [D0000M] --- ## What is the ReBAC Model? -ReBAC (Relationship-Based Access Control) is a modern access control model that focuses on relationships between entities for permission management. Compared to traditional RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control), ReBAC is better suited for systems with complex relationship networks, such as social networks, collaboration platforms, and multi-tenant systems. +ReBAC (Relationship-Based Access Control) is a contemporary access control model that manages permissions based on relationships between entities. Unlike traditional models such as RBAC (Role-Based Access Control) or ABAC (Attribute-Based Access Control), ReBAC excels in systems with intricate relationship networks, including social networks, collaborative platforms, and multi-tenant environments. -In ReBAC, authorization decisions are based on relationships between entities, such as: +In ReBAC, authorization decisions depend on the relationships between entities, for example: - Is the user the "owner" of the resource? - Is the user a "friend" of the resource's "creator"? - Does the user belong to an organization associated with the resource? -- Is the user an "admin" of a certain "project"? +- Is the user an "admin" of a specific "project"? -These relationships are typically modeled as graph structures or paths. +These relationships are typically represented as graph structures or paths. ## ReBAC Support in Casbin -Casbin provides the following mechanisms to implement ReBAC: +Casbin supports ReBAC through the following mechanisms: - User-Resource-Role Relationships - Resource-Type Relationships -A single policy rule can cover multiple users and multiple resources of the same type, enabling flexible and scalable permission control through relationship combinations. +A single policy rule can apply to multiple users and multiple resources of the same type, enabling flexible and scalable permission control through relationship combinations. -Casbin uses `.conf` files to define access control models. Below is an official ReBAC model example: +Casbin uses `.conf` files to define access control models. Here is an official ReBAC model example: ```ini [request_definition] @@ -58,4 +58,4 @@ g, alice, doc1, collaborator g2, doc1, doc ``` -By checking whether a user has a specific role for a given resource and whether the resource belongs to a specified type, permissions are automatically derived through **role relationships + type relationships + permission definitions**. +Permissions are automatically derived by verifying that a user has a specific role for a resource and that the resource belongs to the specified type, combining **role relationships + type relationships + permission definitions**. diff --git a/docs/RoleManagerApi.mdx b/docs/RoleManagerApi.mdx index 01ba9975..eaab723a 100644 --- a/docs/RoleManagerApi.mdx +++ b/docs/RoleManagerApi.mdx @@ -8,11 +8,11 @@ authors: [closetool, kiloson-c] ## RoleManager -The RoleManager provides an interface for defining operations to manage roles. The addition of a matching function to the RoleManager allows the use of wildcards in role names and domains. +The RoleManager provides an interface for managing role operations. Adding a matching function to the RoleManager enables the use of wildcards in role names and domains. ### `AddNamedMatchingFunc()` -The `AddNamedMatchingFunc` function adds a `MatchingFunc` by Ptype to the RoleManager. The `MatchingFunc` will be used when performing role matching. +`AddNamedMatchingFunc` registers a `MatchingFunc` for a specific policy type in the RoleManager. The `MatchingFunc` is applied during role matching. ```mdx-code-block @@ -41,7 +41,7 @@ The `AddNamedMatchingFunc` function adds a `MatchingFunc` by Ptype to the RoleMa ``` -For example: +Example usage: ```mdx-code-block @@ -70,9 +70,9 @@ For example: ### `AddNamedDomainMatchingFunc()` -The `AddNamedDomainMatchingFunc` function adds a `MatchingFunc` by Ptype to the RoleManager. The `DomainMatchingFunc` is similar to the `MatchingFunc` listed above. +`AddNamedDomainMatchingFunc` registers a `MatchingFunc` for a specific policy type in the RoleManager. The `DomainMatchingFunc` works similarly to `MatchingFunc`. -For example: +Example usage: ```mdx-code-block @@ -101,9 +101,9 @@ For example: ### `GetRoleManager()` -The `GetRoleManager` function gets the current role manager for `g`. +`GetRoleManager` retrieves the current role manager for `g`. -For example: +Example usage: ```mdx-code-block @@ -139,9 +139,9 @@ For example: ### `GetNamedRoleManager()` -The `GetNamedRoleManager` function gets the role manager by named Ptype. +`GetNamedRoleManager` retrieves the role manager by named policy type. -For example: +Example usage: ```mdx-code-block @@ -177,9 +177,9 @@ For example: ### `SetRoleManager()` -The `SetRoleManager` function sets the current role manager for `g`. +`SetRoleManager` assigns the current role manager for `g`. -For example: +Example usage: ```mdx-code-block @@ -215,9 +215,9 @@ For example: ### `SetNamedRoleManager()` -The `SetNamedRoleManager` function sets the role manager by named Ptype. +`SetNamedRoleManager` assigns the role manager by named policy type. -For example: +Example usage: ```mdx-code-block @@ -244,9 +244,9 @@ For example: ### `Clear()` -The `Clear` function clears all stored data and resets the role manager to its initial state. +`Clear` removes all stored data and resets the role manager to its initial state. -For example: +Example usage: ```mdx-code-block @@ -282,10 +282,9 @@ For example: ### `AddLink()` -AddLink adds the inheritance link between two roles. role: name1 and role: name2. -Domain is a prefix to the roles (can be used for other purposes). +`AddLink` creates an inheritance link between two roles: `name1` and `name2`. The domain parameter serves as a prefix to the roles (can also be used for other purposes). -For example: +Example usage: ```mdx-code-block @@ -321,10 +320,9 @@ For example: ### `DeleteLink()` -DeleteLink deletes the inheritance link between two roles. role: name1 and role: name2. -Domain is a prefix to the roles (can be used for other purposes). +`DeleteLink` removes the inheritance link between two roles: `name1` and `name2`. The domain parameter serves as a prefix to the roles (can also be used for other purposes). -For example: +Example usage: ```mdx-code-block @@ -360,10 +358,9 @@ For example: ### `HasLink()` -HasLink determines whether a link exists between two roles. role: name1 inherits role: name2. -Domain is a prefix to the roles (can be used for other purposes). +`HasLink` checks whether a link exists between two roles, where `name1` inherits from `name2`. The domain parameter serves as a prefix to the roles (can also be used for other purposes). -For example: +Example usage: ```mdx-code-block @@ -399,10 +396,9 @@ For example: ### `GetRoles()` -GetRoles gets the roles that a user inherits. -Domain is a prefix to the roles (can be used for other purposes). +`GetRoles` retrieves the roles that a user inherits. The domain parameter serves as a prefix to the roles (can also be used for other purposes). -For example: +Example usage: ```mdx-code-block @@ -438,10 +434,9 @@ For example: ### `GetUsers()` -GetUsers gets the users that inherits a role. -Domain is a prefix to the users (can be used for other purposes). +`GetUsers` retrieves the users that inherit a role. The domain parameter serves as a prefix to the users (can also be used for other purposes). -For example: +Example usage: ```mdx-code-block @@ -477,9 +472,9 @@ For example: ### `PrintRoles()` -PrintRoles prints all the roles to log. +`PrintRoles` outputs all roles to the log. -For example: +Example usage: ```mdx-code-block @@ -515,9 +510,9 @@ For example: ### `SetLogger()` -SetLogger sets role manager's logger. +`SetLogger` assigns a logger to the role manager. -For example: +Example usage: ```mdx-code-block @@ -538,9 +533,9 @@ For example: ### `GetDomains()` -GetDomains gets domains that a user has +`GetDomains` retrieves the domains that a user belongs to. -For example: +Example usage: ```mdx-code-block diff --git a/docs/RoleManagers.mdx b/docs/RoleManagers.mdx index ab94a549..3d0d9fdd 100644 --- a/docs/RoleManagers.mdx +++ b/docs/RoleManagers.mdx @@ -6,7 +6,7 @@ keywords: [role manager, RBAC, Casbin] authors: [hsluoyz] --- -The role manager is used to manage the RBAC role hierarchy (user-role mapping) in Casbin. A role manager can retrieve role data from Casbin policy rules or external sources such as LDAP, Okta, Auth0, Azure AD, etc. We support different implementations of a role manager. To keep the lightweight, we don't include role manager code in the main library (except the default role manager). A complete list of Casbin role managers is provided below. Any third-party contributions for a new role manager are welcome. Please inform us, and we will add it to this list:) +The role manager handles the RBAC role hierarchy (user-role mapping) in Casbin. It can retrieve role data from Casbin policy rules or from external sources such as LDAP, Okta, Auth0, Azure AD, and others. We support multiple role manager implementations. To keep the main library lightweight, role manager code (except the default implementation) is maintained separately. Below is a complete list of available Casbin role managers. We welcome contributions for new role managers—please let us know, and we'll add them to this list. ```mdx-code-block @@ -22,7 +22,7 @@ import {RoleManagerPythonData} from "@site/src/tableData/RoleManagerData/RoleMan ``` -For developers: all role managers must implement the [RoleManager](https://github.com/casbin/casbin/blob/master/rbac/role_manager.go) interface. The [Session Role Manager](https://github.com/casbin/session-role-manager) can be used as a reference implementation. +All role managers must implement the [RoleManager](https://github.com/casbin/casbin/blob/master/rbac/role_manager.go) interface. Use the [Session Role Manager](https://github.com/casbin/session-role-manager) as a reference implementation. ```mdx-code-block @@ -31,7 +31,7 @@ For developers: all role managers must implement the [RoleManager](https://githu ``` -For developers: all role managers must implement the [RoleManager](https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/rbac/RoleManager.java) interface. The [Default Role Manager](https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/rbac/DefaultRoleManager.java) can be used as a reference implementation. +All role managers must implement the [RoleManager](https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/rbac/RoleManager.java) interface. Use the [Default Role Manager](https://github.com/casbin/jcasbin/blob/master/src/main/java/org/casbin/jcasbin/rbac/DefaultRoleManager.java) as a reference implementation. ```mdx-code-block @@ -40,7 +40,7 @@ For developers: all role managers must implement the [RoleManager](https://githu ``` -For developers: all role managers must implement the [RoleManager](https://github.com/casbin/node-casbin/blob/master/src/rbac/roleManager.ts) interface. The [Default Role Manager](https://github.com/casbin/node-casbin/blob/master/src/rbac/defaultRoleManager.ts) can be used as a reference implementation. +All role managers must implement the [RoleManager](https://github.com/casbin/node-casbin/blob/master/src/rbac/roleManager.ts) interface. Use the [Default Role Manager](https://github.com/casbin/node-casbin/blob/master/src/rbac/defaultRoleManager.ts) as a reference implementation. ```mdx-code-block @@ -49,7 +49,7 @@ For developers: all role managers must implement the [RoleManager](https://githu ``` -For developers: all role managers must implement the [RoleManager](https://github.com/php-casbin/php-casbin/blob/master/src/Rbac/RoleManager.php) interface. The [Default Role Manager](https://github.com/php-casbin/php-casbin/blob/master/src/Rbac/DefaultRoleManager/RoleManager.php) can be used as a reference implementation. +All role managers must implement the [RoleManager](https://github.com/php-casbin/php-casbin/blob/master/src/Rbac/RoleManager.php) interface. Use the [Default Role Manager](https://github.com/php-casbin/php-casbin/blob/master/src/Rbac/DefaultRoleManager/RoleManager.php) as a reference implementation. ```mdx-code-block @@ -58,7 +58,7 @@ For developers: all role managers must implement the [RoleManager](https://githu ``` -For developers: all role managers must implement the [RoleManager](https://github.com/casbin/pycasbin/blob/master/casbin/rbac/role_manager.py) interface. The [Default Role Manager](https://github.com/casbin/pycasbin/blob/master/casbin/rbac/default_role_manager/role_manager.py) can be used as a reference implementation. +All role managers must implement the [RoleManager](https://github.com/casbin/pycasbin/blob/master/casbin/rbac/role_manager.py) interface. Use the [Default Role Manager](https://github.com/casbin/pycasbin/blob/master/casbin/rbac/default_role_manager/role_manager.py) as a reference implementation. ```mdx-code-block diff --git a/docs/Service.mdx b/docs/Service.mdx index ed0c29bf..89983d34 100644 --- a/docs/Service.mdx +++ b/docs/Service.mdx @@ -8,8 +8,8 @@ authors: [hsluoyz] ## How to Use Casbin as a Service? -| Name | Description | -|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------| -| [Casbin Server](https://github.com/casbin/casbin-server) | The official "Casbin as a Service" solution based on [gRPC](https://grpc.io/). Both Management API and RBAC API are provided. | -| [middleware-acl](https://github.com/luk4z7/middleware-acl) | RESTful access control middleware based on Casbin. | -| [auth-server](https://github.com/ZettaAI/auth-server) | Auth Server for proofreading services. | +| Name | Description | +|--------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------| +| [Casbin Server](https://github.com/casbin/casbin-server) | The official "Casbin as a Service" solution built on [gRPC](https://grpc.io/). Provides both Management API and RBAC API. | +| [middleware-acl](https://github.com/luk4z7/middleware-acl) | RESTful access control middleware powered by Casbin. | +| [auth-server](https://github.com/ZettaAI/auth-server) | Authentication server for proofreading services. | diff --git a/docs/SuperAdmin.mdx b/docs/SuperAdmin.mdx index a5671d47..883c5386 100644 --- a/docs/SuperAdmin.mdx +++ b/docs/SuperAdmin.mdx @@ -6,7 +6,7 @@ keywords: [Super Admin] authors: [ErikQQY] --- -The Super Admin is the administrator of the entire system. It can be used in models such as RBAC, ABAC, and RBAC with domains. The detailed example is as follows: +The Super Admin represents the system-wide administrator. This concept can be applied in models such as RBAC, ABAC, and RBAC with domains. Here is a detailed example: ```ini [request_definition] @@ -22,6 +22,6 @@ e = some(where (p.eft == allow)) m = r.sub == p.sub && r.obj == p.obj && r.act == p.act || r.sub == "root" ``` -This example illustrates that, with the defined ```request_definition```, ```policy_definition```, ```policy_effect```, and ```matchers```, Casbin determines whether the request can match the policy. One important aspect is checking if the ```sub``` is root. If the judgment is correct, authorization is granted, and the user has permission to perform all actions. +This example demonstrates how Casbin evaluates whether a request matches a policy using the defined `request_definition`, `policy_definition`, `policy_effect`, and `matchers`. The key check is whether the `sub` equals "root". When this condition is true, authorization is granted, allowing the user to perform any action. -Similar to the root user in Linux systems, being authorized as root grants access to all files and settings. If we want a ```sub``` to have full access to the entire system, we can assign it the role of Super Admin, granting the ```sub``` permission to perform all actions. +Similar to the root user in Linux systems, a user with root privileges can access all files and modify all settings. To grant a subject complete system access, assign it the Super Admin role, which provides unrestricted permissions across the entire system. diff --git a/docs/TermsOfService.mdx b/docs/TermsOfService.mdx index c14617cb..45faff12 100644 --- a/docs/TermsOfService.mdx +++ b/docs/TermsOfService.mdx @@ -8,41 +8,41 @@ authors: [hsluoyz] 1. Terms - By accessing the website at [https://casbin.org](https://casbin.org), you are agreeing to be bound by these terms of service, all applicable laws and regulations, and agree that you are responsible for compliance with any applicable local laws. If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materials contained in this website are protected by applicable copyright and trademark law. + By accessing the website at [https://casbin.org](https://casbin.org), you agree to be bound by these terms of service, all applicable laws and regulations, and acknowledge that you are responsible for compliance with any applicable local laws. If you do not agree with any of these terms, you are prohibited from using or accessing this site. The materials on this website are protected by applicable copyright and trademark law. 2. Use License - a. Permission is granted to temporarily download one copy of the materials (information or software) on Casbin's website for personal, non-commercial transitory viewing only. This is the grant of a license, not a transfer of title, and under this license you may not: + a. Permission is granted to temporarily download one copy of the materials (information or software) on Casbin's website for personal, non-commercial transitory viewing only. This constitutes a license grant, not a title transfer. Under this license, you may not: - i. modify or copy the materials; - - ii. use the materials for any commercial purpose, or for any public display (commercial or non-commercial); - - iii. attempt to decompile or reverse engineer any software contained on Casbin's website; + - ii. use the materials for any commercial purpose or for any public display (commercial or non-commercial); + - iii. attempt to decompile or reverse engineer any software on Casbin's website; - iv. remove any copyright or other proprietary notations from the materials; or - v. transfer the materials to another person or "mirror" the materials on any other server. - b. This license shall automatically terminate if you violate any of these restrictions and may be terminated by Casbin at any time. Upon terminating your viewing of these materials or upon the termination of this license, you must destroy any downloaded materials in your possession whether in electronic or printed format. + b. This license terminates automatically if you violate any of these restrictions and may be terminated by Casbin at any time. Upon terminating your viewing of these materials or upon termination of this license, you must destroy any downloaded materials in your possession, whether in electronic or printed format. 3. Disclaimer - a. The materials on Casbin's website are provided on an 'as is' basis. Casbin makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties including, without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights. + a. The materials on Casbin's website are provided on an "as is" basis. Casbin makes no warranties, expressed or implied, and hereby disclaims and negates all other warranties, including without limitation, implied warranties or conditions of merchantability, fitness for a particular purpose, or non-infringement of intellectual property or other violation of rights. b. Further, Casbin does not warrant or make any representations concerning the accuracy, likely results, or reliability of the use of the materials on its website or otherwise relating to such materials or on any sites linked to this site. 4. Limitations - In no event shall Casbin or its suppliers be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials on Casbin's website, even if Casbin or a Casbin authorized representative has been notified orally or in writing of the possibility of such damage. Because some jurisdictions do not allow limitations on implied warranties, or limitations of liability for consequential or incidental damages, these limitations may not apply to you. + In no event shall Casbin or its suppliers be liable for any damages (including, without limitation, damages for loss of data or profit, or due to business interruption) arising out of the use or inability to use the materials on Casbin's website, even if Casbin or a Casbin authorized representative has been notified orally or in writing of the possibility of such damage. Because some jurisdictions do not allow limitations on implied warranties or limitations of liability for consequential or incidental damages, these limitations may not apply to you. 5. Accuracy of materials - The materials appearing on Casbin's website could include technical, typographical, or photographic errors. Casbin does not warrant that any of the materials on its website are accurate, complete or current. Casbin may make changes to the materials contained on its website at any time without notice. However Casbin does not make any commitment to update the materials. + The materials appearing on Casbin's website could include technical, typographical, or photographic errors. Casbin does not warrant that any of the materials on its website are accurate, complete, or current. Casbin may make changes to the materials on its website at any time without notice. However, Casbin does not make any commitment to update the materials. 6. Links - Casbin has not reviewed all of the sites linked to its website and is not responsible for the contents of any such linked site. The inclusion of any link does not imply endorsement by Casbin of the site. Use of any such linked website is at the user's own risk. + Casbin has not reviewed all sites linked to its website and is not responsible for the contents of any such linked site. The inclusion of any link does not imply endorsement by Casbin of the site. Use of any such linked website is at the user's own risk. 7. Modifications - Casbin may revise these terms of service for its website at any time without notice. By using this website you are agreeing to be bound by the then current version of these terms of service. + Casbin may revise these terms of service for its website at any time without notice. By using this website, you agree to be bound by the then-current version of these terms of service. 8. Governing Law diff --git a/docs/UCON.mdx b/docs/UCON.mdx index ccf94fec..361e827a 100644 --- a/docs/UCON.mdx +++ b/docs/UCON.mdx @@ -9,11 +9,11 @@ authors: [nodece] ## Overview -The Usage Control (UCON) model is an extension of traditional access control models that integrates authorizations, obligations, and conditions. Developed by Sandhu and Park, UCON provides a comprehensive framework for controlling access to and usage of digital resources in distributed systems. Unlike traditional access control models that focus only on authorization decisions at access time, UCON introduces continuous enforcement and attribute mutability. +The Usage Control (UCON) model extends traditional access control models by integrating authorizations, obligations, and conditions. Originally developed by Sandhu and Park, UCON provides a comprehensive framework for controlling both access to and usage of digital resources in distributed systems. Unlike traditional access control models that only make authorization decisions at access time, UCON introduces continuous enforcement and attribute mutability. ## Model & Policy -> **Note**: Casbin does not directly support UCON in its core library. Instead, UCON functionality is provided through the extension library [casbin-ucon](https://github.com/casbin/casbin-ucon), which adds session-based access control with conditions, obligations, and continuous monitoring capabilities. It can use the same models and policies supported by the Casbin core. +> **Note**: Casbin does not support UCON directly in its core library. Instead, UCON functionality is provided through the extension library [casbin-ucon](https://github.com/casbin/casbin-ucon), which adds session-based access control with conditions, obligations, and continuous monitoring capabilities. The extension can use the same models and policies supported by the Casbin core. ### model @@ -44,12 +44,12 @@ p, alice, document1, read The UCON model consists of three core components: 1. **Authorizations (A)**: Traditional access control rules based on subject and object attributes -2. **oBligations (B)**: Requirements that must be fulfilled by subjects before or during resource usage +2. **oBligations (B)**: Requirements that subjects must fulfill before or during resource usage 3. **Conditions (C)**: Environmental or system factors independent of subjects and objects ## Key Features -1. **Continuity**: Unlike traditional models that check permissions only at access time, UCON enables ongoing enforcement during the entire usage session +1. **Continuity**: Unlike traditional models that check permissions only at access time, UCON enables ongoing enforcement throughout the entire usage session 2. **Mutability**: Subject and object attributes can be updated as a consequence of usage 3. **Pre-decisions**: Authorizations, obligations, and conditions checked before access 4. **Ongoing-decisions**: Continuous checking during resource usage @@ -57,7 +57,7 @@ The UCON model consists of three core components: ## Use Cases -The UCON model is particularly useful in: +The UCON model is particularly valuable in: - Digital Rights Management (DRM) systems - Healthcare information systems @@ -68,7 +68,7 @@ The UCON model is particularly useful in: ## Implementation with casbin-ucon -To implement UCON in your Casbin-based application, you need to use the [casbin-ucon](https://github.com/casbin/casbin-ucon) extension library: +To implement UCON in your Casbin-based application, use the [casbin-ucon](https://github.com/casbin/casbin-ucon) extension library: ```bash go get github.com/casbin/casbin-ucon @@ -169,4 +169,4 @@ func main() { ## References -For complete API documentation, detailed usage, and latest updates about casbin-ucon, please refer to [casbin-ucon](https://github.com/casbin/casbin-ucon) . +For complete API documentation, detailed usage, and latest updates about casbin-ucon, refer to [casbin-ucon](https://github.com/casbin/casbin-ucon). diff --git a/docs/Watchers.mdx b/docs/Watchers.mdx index f8bd4100..5fd9e0be 100644 --- a/docs/Watchers.mdx +++ b/docs/Watchers.mdx @@ -8,9 +8,9 @@ authors: [hsluoyz] -We support the use of distributed messaging systems like [etcd](https://github.com/coreos/etcd) to maintain consistency between multiple Casbin enforcer instances. This allows our users to concurrently use multiple Casbin enforcers to handle a large number of permission checking requests. +We support distributed messaging systems like [etcd](https://github.com/coreos/etcd) to maintain consistency across multiple Casbin enforcer instances. This enables concurrent use of multiple Casbin enforcers to handle large volumes of permission checking requests. -Similar to policy storage adapters, we do not include watcher code in the main library. Any support for a new messaging system should be implemented as a watcher. A complete list of Casbin watchers is provided below. We welcome any third-party contributions for a new watcher, please inform us and we will add it to this list: +Similar to policy storage adapters, watcher code is not included in the main library. Support for new messaging systems should be implemented as a separate watcher. Below is a complete list of available Casbin watchers. We welcome third-party contributions for new watchers—please let us know, and we'll add them to this list. ```mdx-code-block @@ -86,20 +86,20 @@ import {WatcherRustData} from "@site/src/tableData/WatcherData/WatcherRustData"; ## WatcherEx -In order to support incremental synchronization between multiple instances, we provide the `WatcherEx` interface. We hope it can notify other instances when the policy changes, but there is currently no implementation of `WatcherEx`. We recommend that you use dispatcher to achieve this. +To support incremental synchronization between multiple instances, we provide the `WatcherEx` interface. This interface can notify other instances when policies change, though there is currently no implementation of `WatcherEx`. We recommend using a dispatcher to achieve this functionality. -Compared with `Watcher` interface, `WatcherEx` can distinguish what type of update action is received, e.g., `AddPolicy` and `RemovePolicy`. +Compared to the `Watcher` interface, `WatcherEx` can distinguish the type of update action received, such as `AddPolicy` versus `RemovePolicy`. -WatcherEx Apis: +WatcherEx APIs: | API | Description | |-----------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| SetUpdateCallback(func(string)) error | SetUpdateCallback sets the callback function that the watcher will call, when the policy in DB has been changed by other instances. A classic callback is Enforcer.LoadPolicy(). | -| Update() error | Update calls the update callback of other instances to synchronize their policy. It is usually called after changing the policy in DB, like Enforcer.SavePolicy(), Enforcer.AddPolicy(), Enforcer.RemovePolicy(), etc. | -| Close() | Close stops and releases the watcher, the callback function will not be called any more. | -| UpdateForAddPolicy(sec, ptype string, params ...string) error | UpdateForAddPolicy calls the update callback of other instances to synchronize their policy. It is called after a policy is added via Enforcer.AddPolicy(), Enforcer.AddNamedPolicy(), Enforcer.AddGroupingPolicy() and Enforcer.AddNamedGroupingPolicy(). | -| UpdateForRemovePolicy(sec, ptype string, params ...string) error | UPdateForRemovePolicy calls the update callback of other instances to synchronize their policy. It is called after a policy is removed by Enforcer.RemovePolicy(), Enforcer.RemoveNamedPolicy(), Enforcer.RemoveGroupingPolicy() and Enforcer.RemoveNamedGroupingPolicy(). | -| UpdateForRemoveFilteredPolicy(sec, ptype string, fieldIndex int, fieldValues ...string) error | UpdateForRemoveFilteredPolicy calls the update callback of other instances to synchronize their policy. It is called after Enforcer.RemoveFilteredPolicy(), Enforcer.RemoveFilteredNamedPolicy(), Enforcer.RemoveFilteredGroupingPolicy() and Enforcer.RemoveFilteredNamedGroupingPolicy(). | -| UpdateForSavePolicy(model model.Model) error | UpdateForSavePolicy calls the update callback of other instances to synchronize their policy. It is called after Enforcer.SavePolicy() | -| UpdateForAddPolicies(sec string, ptype string, rules ...[]string) error | UpdateForAddPolicies calls the update callback of other instances to synchronize their policy. It is called after Enforcer.AddPolicies(), Enforcer.AddNamedPolicies(), Enforcer.AddGroupingPolicies() and Enforcer.AddNamedGroupingPolicies(). | -| UpdateForRemovePolicies(sec string, ptype string, rules ...[]string) error | UpdateForRemovePolicies calls the update callback of other instances to synchronize their policy. It is called after Enforcer.RemovePolicies(), Enforcer.RemoveNamedPolicies(), Enforcer.RemoveGroupingPolicies() and Enforcer.RemoveNamedGroupingPolicies(). | +| SetUpdateCallback(func(string)) error | SetUpdateCallback configures the callback function that the watcher calls when the policy in the database has been changed by other instances. A classic callback is Enforcer.LoadPolicy(). | +| Update() error | Update calls the update callback of other instances to synchronize their policies. It is usually called after changing the policy in the database, such as after Enforcer.SavePolicy(), Enforcer.AddPolicy(), Enforcer.RemovePolicy(), etc. | +| Close() | Close stops and releases the watcher. The callback function will no longer be invoked after this. | +| UpdateForAddPolicy(sec, ptype string, params ...string) error | UpdateForAddPolicy calls the update callback of other instances to synchronize their policies. It is called after a policy is added via Enforcer.AddPolicy(), Enforcer.AddNamedPolicy(), Enforcer.AddGroupingPolicy() and Enforcer.AddNamedGroupingPolicy(). | +| UpdateForRemovePolicy(sec, ptype string, params ...string) error | UpdateForRemovePolicy calls the update callback of other instances to synchronize their policies. It is called after a policy is removed by Enforcer.RemovePolicy(), Enforcer.RemoveNamedPolicy(), Enforcer.RemoveGroupingPolicy() and Enforcer.RemoveNamedGroupingPolicy(). | +| UpdateForRemoveFilteredPolicy(sec, ptype string, fieldIndex int, fieldValues ...string) error | UpdateForRemoveFilteredPolicy calls the update callback of other instances to synchronize their policies. It is called after Enforcer.RemoveFilteredPolicy(), Enforcer.RemoveFilteredNamedPolicy(), Enforcer.RemoveFilteredGroupingPolicy() and Enforcer.RemoveFilteredNamedGroupingPolicy(). | +| UpdateForSavePolicy(model model.Model) error | UpdateForSavePolicy calls the update callback of other instances to synchronize their policies. It is called after Enforcer.SavePolicy(). | +| UpdateForAddPolicies(sec string, ptype string, rules ...[]string) error | UpdateForAddPolicies calls the update callback of other instances to synchronize their policies. It is called after Enforcer.AddPolicies(), Enforcer.AddNamedPolicies(), Enforcer.AddGroupingPolicies() and Enforcer.AddNamedGroupingPolicies(). | +| UpdateForRemovePolicies(sec string, ptype string, rules ...[]string) error | UpdateForRemovePolicies calls the update callback of other instances to synchronize their policies. It is called after Enforcer.RemovePolicies(), Enforcer.RemoveNamedPolicies(), Enforcer.RemoveGroupingPolicies() and Enforcer.RemoveNamedGroupingPolicies(). |