RBAC gives more control of actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
- Groups: a set of roles that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Groups can only have roles
- Roles can only have permissions
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
- An account can be assigned granted and denied permissions
- An account can have multiple groups, roles and permissions
- An account can not have same role granted and denied at same time
- An acconnt can not have same permission granted and denied at same time
- Id 0 can not be used to define a group, role or permission
Added some permissions as a sample of use (Instant Logout, Skip Queue, Join BGs, Join DF) and some permissions as a workaround to commands till command system is modified to use RBAC
Permissions (default permissions)
Id | Name | Description |
---|---|---|
1 | RBAC_PERM_INSTANT_LOGOUT | Instantly logging out everywhere. Does not work while in combat, dueling or falling. |
2 | RBAC_PERM_SKIP_QUEUE | Skip login queue. |
3 | RBAC_PERM_JOIN_NORMAL_BG | Allow joining normal battlegrounds. |
4 | RBAC_PERM_JOIN_RANDOM_BG | Allow joining random battlegrounds. |
5 | RBAC_PERM_JOIN_ARENAS | Allow joining arenas. |
6 | RBAC_PERM_JOIN_DUNGEON_FINDER | Allow joining dungeon finder (LFD, LFG). |
7 | RBAC_PERM_PLAYER_COMMANDS | Allow the use of player commands. (Security level 0) |
8 | RBAC_PERM_MODERATOR_COMMANDS | Allow the use of moderator commands. (Security level 1) |
9 | RBAC_PERM_GAMEMASTER_COMMANDS | Allow the use of game-master commands. (Security level 2) |
10 | RBAC_PERM_ADMINISTRATOR_COMMANDS | Allow the use of administrator commands. (Security level 3) |
In-game commands
Name | Syntax | Description |
---|---|---|
.rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
.rbac account group | Syntax: .rbac account group [$account] | View groups of selected player or given account Note: Only those that affect current realm |
.rbac account group add | Syntax: .rbac account group add [$account] #id [#realmId] | Add a group to selected player or given account. #reamID may be -1 for all realms. |
.rbac account group remove | Syntax: .rbac account group remove [$account] #id | Remove a group from selected player or given account. |
.rbac account role | Syntax: .rbac account role [$account] | View roles of selected player or given account Note: Only those that affect current real Note: Only those directly granted or denied, does not include inherited roles from groups |
.rbac account role grant | Syntax: .rbac account role grant [$account] #id [#realmId] | Grant a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role deny | Syntax: .rbac account role deny [$account] #id [#realmId] | Deny a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role revoke | Syntax: .rbac account role revoke [$account] #id | Remove a role from an account Note: Removes the role from granted or denied roles |
.rbac account permission | Syntax: .rbac account permission [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
.rbac account permission grant | Syntax: .rbac account permission grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission deny | Syntax: .rbac account permission deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission revoke | Syntax: .rbac account permission revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
.rbac list groups | Syntax: .rbac list groups [$id] | View list of all groups. If $id is given will show group info and his inherited roles. |
.rbac list roles | Syntax: .rbac list roles [$id] | View list of all roles. If $id is given will show role info and his inherited permissions. |
.rbac list permissions | Syntax: .rbac list permissions [$id] | View list of all permissions. If $id is given will show only info for that permission. |
Commands are not (yet) covered by RBAC (allowing, denying and revoking specific commands to roles and groups)
Related tables (`auth` database)
Table Name | Table Description | Field Name | Field Type | Field Description |
---|---|---|---|---|
rbac_account_groups | Account-Group relation | accountId | int | Account id |
groupId | int | Group id | ||
realmId | int | Realm Id, -1 means all | ||
rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
permissionId | int | Permission id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_account_roles | Account-Role relation | accountId | int | Account id |
roleId | int | Role id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_group_roles | Group-Role relation | groupId | int | Group id |
roleId | int | Role id | ||
rbac_role_permissions | Role-Permission relation | roleId | int | Role id |
permissionId | int | Permission id | ||
rbac_groups | Group List | id | int | Group id |
name | text | Group name | ||
rbac_permissions | Permission List | id | int | Permission id |
name | text | Permission name | ||
rbac_roles | Roles list | id | int | Role id |
name | text | Role name | ||
rbac_security_level_groups | Default groups to assign when an account is set gm level | secId | int | Security Level id |
groupId | int | Group id |