RBAC gives more control of actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
- Groups: a set of roles that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Groups can only have roles
- Roles can only have permissions
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
- An account can be assigned granted and denied permissions
- An account can have multiple groups, roles and permissions
- An account can not have same role granted and denied at same time
- An acconnt can not have same permission granted and denied at same time
- Id 0 can not be used to define a group, role or permission
Added some permissions as a sample of use (Instant Logout, Skip Queue, Join BGs, Join DF) and some permissions as a workaround to commands till command system is modified to use RBAC
In-game commands
Name | Syntax | Description |
---|---|---|
.rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
.rbac account group | Syntax: .rbac account group [$account] | View groups of selected player or given account Note: Only those that affect current realm |
.rbac account group add | Syntax: .rbac account group add [$account] #id [#realmId] | Add a group to selected player or given account. #reamID may be -1 for all realms. |
.rbac account group remove | Syntax: .rbac account group remove [$account] #id | Remove a group from selected player or given account. |
.rbac account role | Syntax: .rbac account role [$account] | View roles of selected player or given account Note: Only those that affect current real Note: Only those directly granted or denied, does not include inherited roles from groups |
.rbac account role grant | Syntax: .rbac account role grant [$account] #id [#realmId] | Grant a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role deny | Syntax: .rbac account role deny [$account] #id [#realmId] | Deny a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role revoke | Syntax: .rbac account role revoke [$account] #id | Remove a role from an account Note: Removes the role from granted or denied roles |
.rbac account permission | Syntax: .rbac account permission [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
.rbac account permission grant | Syntax: .rbac account permission grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission deny | Syntax: .rbac account permission deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission revoke | Syntax: .rbac account permission revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
.rbac list groups | Syntax: .rbac list groups [$id] | View list of all groups. If $id is given will show group info and his inherited roles. |
.rbac list roles | Syntax: .rbac list roles [$id] | View list of all roles. If $id is given will show role info and his inherited permissions. |
.rbac list permissions | Syntax: .rbac list permissions [$id] | View list of all permissions. If $id is given will show only info for that permission. |
Commands are not (yet) covered by RBAC (allowing, denying and revoking specific commands to roles and groups)