RBAC gives more control of actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
- Groups: a set of roles that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Groups can only have roles
- Roles can only have permissions
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
- An account can be assigned granted and denied permissions
- An account can have multiple groups, roles and permissions
- An account can not have same role granted and denied at same time
- An acconnt can not have same permission granted and denied at same time
- Id 0 can not be used to define a group, role or permission
Permissions (default permissions)
| Id | Name | Description |
|---|---|---|
| 1 | RBAC_PERM_INSTANT_LOGOUT | Instantly logging out everywhere. Does not work while in combat, dueling or falling. |
| 2 | RBAC_PERM_SKIP_QUEUE | Skip login queue. |
| 3 | RBAC_PERM_JOIN_NORMAL_BG | Allow joining normal battlegrounds. |
| 4 | RBAC_PERM_JOIN_RANDOM_BG | Allow joining random battlegrounds. |
| 5 | RBAC_PERM_JOIN_ARENAS | Allow joining arenas. |
| 6 | RBAC_PERM_JOIN_DUNGEON_FINDER | Allow joining dungeon finder (LFD, LFG). |
| 7 | RBAC_PERM_PLAYER_COMMANDS | Allow the use of player commands. (Security level 0) (TEMP) |
| 8 | RBAC_PERM_MODERATOR_COMMANDS | Allow the use of moderator commands. (Security level 1) (TEMP) |
| 9 | RBAC_PERM_GAMEMASTER_COMMANDS | Allow the use of game-master commands. (Security level 2) (TEMP) |
| 10 | RBAC_PERM_ADMINISTRATOR_COMMANDS | Allow the use of administrator commands. (Security level 3) (TEMP) |
| 11 | RBAC_PERM_LOG_GM_TRADE | Log GM trades |
| 12 | free | |
| 13 | RBAC_PERM_SKIP_CHECK_INSTANCE_REQUIRED_BOSSES | Skip Instance required bosses check |
| 14 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_TEAMMASK | Skips character creation team mask check |
| 15 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_CLASSMASK | Skips character creation class mask check |
| 16 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_RACEMASK | Skips character creation race mask check |
| 17 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_RESERVEDNAME | Skips character creation reserved name check |
| 18 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_HEROIC_CHARACTER | Skips character creation heroic min level check |
| 19 | RBAC_PERM_SKIP_CHECK_CHAT_CHANNEL_REQ | Skips needed requirements to use channel check |
| 20 | RBAC_PERM_SKIP_CHECK_DISABLE_MAP | Skip disable map check |
| 21 | RBAC_PERM_SKIP_CHECK_MORE_TALENTS_THAN_ALLOWED | Skip reset talents when used more than allowed check |
| 22 | RBAC_PERM_SKIP_CHECK_CHAT_SPAM | Skip spam chat check |
| 23 | RBAC_PERM_SKIP_CHECK_OVERSPEED_PING | Skip over-speed ping check |
| 24 | RBAC_PERM_TWO_SIDE_CHARACTER_CREATION | Creation of two side faction characters in same account |
| 25 | RBAC_PERM_TWO_SIDE_INTERACTION_CHAT | Allow say chat between factions |
| 26 | RBAC_PERM_TWO_SIDE_INTERACTION_CHANNEL | Allow channel chat between factions |
| 27 | RBAC_PERM_TWO_SIDE_INTERACTION_MAIL | Two side mail interaction |
| 28 | RBAC_PERM_TWO_SIDE_WHO_LIST | See two side who list |
| 29 | RBAC_PERM_TWO_SIDE_ADD_FRIEND | Add friends of other faction |
| 30 | RBAC_PERM_COMMANDS_SAVE_WITHOUT_DELAY | Save character without delay with .save command |
| 31 | RBAC_PERM_COMMANDS_USE_UNSTUCK_WITH_ARGS | Use params with .unstuck command |
| 32 | RBAC_PERM_COMMANDS_BE_ASSIGNED_TICKET | Can be assigned tickets with .assign ticket command |
| 33 | RBAC_PERM_COMMANDS_NOTIFY_COMMAND_NOT_FOUND_ERROR | Notify if a command was not found |
| 34 | RBAC_PERM_COMMANDS_APPEAR_IN_GM_LIST | Check if should appear in list using .gm ingame command |
| 35 | RBAC_PERM_WHO_SEE_ALL_SEC_LEVELS | See all security levels with who command |
| 36 | RBAC_PERM_CAN_FILTER_WHISPERS | Filter whispers |
| 37 | RBAC_PERM_CHAT_USE_STAFF_BADGE | Use staff badge in chat |
| 38 | RBAC_PERM_RESURRECT_WITH_FULL_HPS | Resurrect with full Health Points |
| 39 | RBAC_PERM_RESTORE_SAVED_GM_STATE | Restore saved gm setting states |
| 40 | RBAC_PERM_ALLOW_GM_FRIEND | Allows to add a gm to friend list |
| 41 | RBAC_PERM_USE_START_GM_LEVEL | Use Config option START_GM_LEVEL to assign new character level |
| 42 | RBAC_PERM_OPCODE_WORLD_TELEPORT | Allows to use CMSG_WORLD_TELEPORT opcode |
| 43 | RBAC_PERM_OPCODE_WHOIS | Allows to use CMSG_WHOIS opcode |
| 44 | RBAC_PERM_RECEIVE_GLOBAL_GM_TEXTMESSAGE | Receive global GM messages/texts |
| 45 | RBAC_PERM_SILENTLY_JOIN_CHANNEL | Join channels without announce |
| 46 | RBAC_PERM_CHANGE_CHANNEL_NOT_MODERATOR | Change channel settings without being channel moderator |
| 47 | RBAC_PERM_CHECK_FOR_LOWER_SECURITY | Enables lower security than target check |
In-game commands
| Name | Syntax | Description |
|---|---|---|
| .rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
| .rbac account group | Syntax: .rbac account group [$account] | View groups of selected player or given account Note: Only those that affect current realm |
| .rbac account group add | Syntax: .rbac account group add [$account] #id [#realmId] | Add a group to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account group remove | Syntax: .rbac account group remove [$account] #id | Remove a group from selected player or given account. |
| .rbac account role | Syntax: .rbac account role [$account] | View roles of selected player or given account Note: Only those that affect current real Note: Only those directly granted or denied, does not include inherited roles from groups |
| .rbac account role grant | Syntax: .rbac account role grant [$account] #id [#realmId] | Grant a role to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account role deny | Syntax: .rbac account role deny [$account] #id [#realmId] | Deny a role to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account role revoke | Syntax: .rbac account role revoke [$account] #id | Remove a role from an account Note: Removes the role from granted or denied roles |
| .rbac account permission | Syntax: .rbac account permission [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
| .rbac account permission grant | Syntax: .rbac account permission grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account permission deny | Syntax: .rbac account permission deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account permission revoke | Syntax: .rbac account permission revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
| .rbac list groups | Syntax: .rbac list groups [$id] | View list of all groups. If $id is given will show group info and his inherited roles. |
| .rbac list roles | Syntax: .rbac list roles [$id] | View list of all roles. If $id is given will show role info and his inherited permissions. |
| .rbac list permissions | Syntax: .rbac list permissions [$id] | View list of all permissions. If $id is given will show only info for that permission. |
Commands are not (yet) covered by RBAC (allowing, denying and revoking specific commands to roles and groups)
Related tables (`auth` database)
| Table Name | Table Description | Field Name | Field Type | Field Description |
|---|---|---|---|---|
| rbac_account_groups | Account-Group relation | accountId | int | Account id |
| groupId | int | Group id | ||
| realmId | int | Realm Id, -1 means all | ||
| rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
| permissionId | int | Permission id | ||
| granted | int | Granted = 1, Denied = 0 | ||
| realmId | int | Realm Id, -1 means all | ||
| rbac_account_roles | Account-Role relation | accountId | int | Account id |
| roleId | int | Role id | ||
| granted | int | Granted = 1, Denied = 0 | ||
| realmId | int | Realm Id, -1 means all | ||
| rbac_group_roles | Group-Role relation | groupId | int | Group id |
| roleId | int | Role id | ||
| rbac_role_permissions | Role-Permission relation | roleId | int | Role id |
| permissionId | int | Permission id | ||
| rbac_groups | Group List | id | int | Group id |
| name | text | Group name | ||
| rbac_permissions | Permission List | id | int | Permission id |
| name | text | Permission name | ||
| rbac_roles | Roles list | id | int | Role id |
| name | text | Role name | ||
| rbac_security_level_groups | Default groups to assign when an account is set gm level | secId | int | Security Level id |
| groupId | int | Group id |
Suggestion
Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.
If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!