RBAC: Role based Access Control

RBAC gives more control of actions an account can perform

System defines
Permissions to perform some action
Roles: a set of permissions that have some relation
Groups: a set of roles that have some relation
Operations
Grant: Assign and allow
Deny: Assign and do not allow
Revoke: Remove
Precedence of operations
Grant
Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
Groups can only have roles
Roles can only have permissions
An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
An account can be assigned granted and denied permissions
An account can have multiple groups, roles and permissions
An account can not have same role granted and denied at same time
An acconnt can not have same permission granted and denied at same time
Id 0 can not be used to define a group, role or permission
Added some permissions as a sample of use (Instant Logout, Skip Queue, Join BGs, Join DF) and some permissions as a workaround to commands till command system is modified to use RBAC
Permissions
Id Name Description
1 RBAC_PERM_INSTANT_LOGOUT Instantly logging out everywhere. Does not work while in combat, dueling or falling.
2 RBAC_PERM_SKIP_QUEUE Skip login queue.
3 RBAC_PERM_JOIN_NORMAL_BG Allow joining normal battlegrounds.
4 RBAC_PERM_JOIN_RANDOM_BG Allow joining random battlegrounds.
5 RBAC_PERM_JOIN_ARENAS Allow joining arenas.
6 RBAC_PERM_JOIN_DUNGEON_FINDER Allow joining dungeon finder (LFD, LFG).
7 RBAC_PERM_PLAYER_COMMANDS Allow the use of player commands. (Security level 0)
8 RBAC_PERM_MODERATOR_COMMANDS Allow the use of moderator commands. (Security level 1)
9 RBAC_PERM_GAMEMASTER_COMMANDS Allow the use of game-master commands. (Security level 2)
10 RBAC_PERM_ADMINISTRATOR_COMMANDS Allow the use of administrator commands. (Security level 3)
In-game commands
Name Syntax Description
.rbac account Syntax: .rbac account [$account]
View permissions of selected player or given account
Note: Only those that affect current realm
Note: Shows real permissions after checking group and roles
.rbac account group Syntax: .rbac account group [$account]
View groups of selected player or given account
Note: Only those that affect current realm
.rbac account group add Syntax: .rbac account group add [$account] #id [#realmId]
Add a group to selected player or given account.
#reamID may be -1 for all realms.
.rbac account group remove Syntax: .rbac account group remove [$account] #id Remove a group from selected player or given account.
.rbac account role Syntax: .rbac account role [$account]
View roles of selected player or given account
Note: Only those that affect current real
Note: Only those directly granted or denied, does not include inherited roles from groups
.rbac account role grant Syntax: .rbac account role grant [$account] #id [#realmId]
Grant a role to selected player or given account.
#reamID may be -1 for all realms.
.rbac account role deny Syntax: .rbac account role deny [$account] #id [#realmId]
Deny a role to selected player or given account.
#reamID may be -1 for all realms.
.rbac account role revoke Syntax: .rbac account role revoke [$account] #id
Remove a role from an account
Note: Removes the role from granted or denied roles
.rbac account permission Syntax: .rbac account permission [$account]
View permissions of selected player or given account
Note: Only those that affect current realm
Note: Only those directly granted or denied, does not include inherited permissions from roles
.rbac account permission grant Syntax: .rbac account permission grant [$account] #id [#realmId]
Grant a permission to selected player or given account.
#reamID may be -1 for all realms.
.rbac account permission deny Syntax: .rbac account permission deny [$account] #id [#realmId]
Deny a permission to selected player or given account.
#reamID may be -1 for all realms.
.rbac account permission revoke Syntax: .rbac account permission revoke [$account] #id
Remove a permission from an account
Note: Removes the permission from granted or denied permissions
.rbac list groups Syntax: .rbac list groups [$id]
View list of all groups.
If $id is given will show group info and his inherited roles.
.rbac list roles Syntax: .rbac list roles [$id]
View list of all roles.
If $id is given will show role info and his inherited permissions.
.rbac list permissions Syntax: .rbac list permissions [$id]
View list of all permissions.
If $id is given will show only info for that permission.

Commands are not (yet) covered by RBAC (allowing, denying and revoking specific commands to roles and groups)
Related tables (`auth` database)
Table Name Table Description Field Name Field Type Field Description
rbac_account_groups Account-Group relation accountId int Account id
groupId int Group id
realmId int Realm Id, -1 means all
rbac_account_permissions Account-Permission relation accountId int Account id
permissionId int Permission id
granted int Granted = 1, Denied = 0
realmId int Realm Id, -1 means all
rbac_account_roles Account-Role relation accountId int Account id
roleId int Role id
granted int Granted = 1, Denied = 0
realmId int Realm Id, -1 means all
rbac_group_roles Group-Role relation groupId int Group id
roleId int Role id
rbac_role_permissions Role-Permission relation roleId int Role id
permissionId int Permission id
rbac_groups Group List id int Group id
name text Group name
rbac_permissions Permission List id int Permission id
name text Permission name
rbac_roles Roles list id int Role id
name text Role name
rbac_security_level_groups Default groups to assign when an account is set gm level secId int Security Level id
groupId int Group id

Id	Name	Description
1	RBAC_PERM_INSTANT_LOGOUT	Instantly logging out everywhere. Does not work while in combat, dueling or falling.
2	RBAC_PERM_SKIP_QUEUE	Skip login queue.
3	RBAC_PERM_JOIN_NORMAL_BG	Allow joining normal battlegrounds.
4	RBAC_PERM_JOIN_RANDOM_BG	Allow joining random battlegrounds.
5	RBAC_PERM_JOIN_ARENAS	Allow joining arenas.
6	RBAC_PERM_JOIN_DUNGEON_FINDER	Allow joining dungeon finder (LFD, LFG).
7	RBAC_PERM_PLAYER_COMMANDS	Allow the use of player commands. (Security level 0)
8	RBAC_PERM_MODERATOR_COMMANDS	Allow the use of moderator commands. (Security level 1)
9	RBAC_PERM_GAMEMASTER_COMMANDS	Allow the use of game-master commands. (Security level 2)
10	RBAC_PERM_ADMINISTRATOR_COMMANDS	Allow the use of administrator commands. (Security level 3)

Name	Syntax	Description
.rbac account	Syntax: .rbac account [$account]	View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles
.rbac account group	Syntax: .rbac account group [$account]	View groups of selected player or given account Note: Only those that affect current realm
.rbac account group add	Syntax: .rbac account group add [$account] #id [#realmId]	Add a group to selected player or given account. #reamID may be -1 for all realms.
.rbac account group remove	Syntax: .rbac account group remove [$account] #id	Remove a group from selected player or given account.
.rbac account role	Syntax: .rbac account role [$account]	View roles of selected player or given account Note: Only those that affect current real Note: Only those directly granted or denied, does not include inherited roles from groups
.rbac account role grant	Syntax: .rbac account role grant [$account] #id [#realmId]	Grant a role to selected player or given account. #reamID may be -1 for all realms.
.rbac account role deny	Syntax: .rbac account role deny [$account] #id [#realmId]	Deny a role to selected player or given account. #reamID may be -1 for all realms.
.rbac account role revoke	Syntax: .rbac account role revoke [$account] #id	Remove a role from an account Note: Removes the role from granted or denied roles
.rbac account permission	Syntax: .rbac account permission [$account]	View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles
.rbac account permission grant	Syntax: .rbac account permission grant [$account] #id [#realmId]	Grant a permission to selected player or given account. #reamID may be -1 for all realms.
.rbac account permission deny	Syntax: .rbac account permission deny [$account] #id [#realmId]	Deny a permission to selected player or given account. #reamID may be -1 for all realms.
.rbac account permission revoke	Syntax: .rbac account permission revoke [$account] #id	Remove a permission from an account Note: Removes the permission from granted or denied permissions
.rbac list groups	Syntax: .rbac list groups [$id]	View list of all groups. If $id is given will show group info and his inherited roles.
.rbac list roles	Syntax: .rbac list roles [$id]	View list of all roles. If $id is given will show role info and his inherited permissions.
.rbac list permissions	Syntax: .rbac list permissions [$id]	View list of all permissions. If $id is given will show only info for that permission.

Table Name	Table Description	Field Name	Field Type	Field Description
rbac_account_groups	Account-Group relation	accountId	int	Account id
		groupId	int	Group id
		realmId	int	Realm Id, -1 means all
rbac_account_permissions	Account-Permission relation	accountId	int	Account id
		permissionId	int	Permission id
		granted	int	Granted = 1, Denied = 0
		realmId	int	Realm Id, -1 means all
rbac_account_roles	Account-Role relation	accountId	int	Account id
		roleId	int	Role id
		granted	int	Granted = 1, Denied = 0
		realmId	int	Realm Id, -1 means all
rbac_group_roles	Group-Role relation	groupId	int	Group id
rbac_group_roles	Group-Role relation	roleId	int	Role id
rbac_role_permissions	Role-Permission relation	roleId	int	Role id
rbac_role_permissions	Role-Permission relation	permissionId	int	Permission id
rbac_groups	Group List	id	int	Group id
rbac_groups	Group List	name	text	Group name
rbac_permissions	Permission List	id	int	Permission id
rbac_permissions	Permission List	name	text	Permission name
rbac_roles	Roles list	id	int	Role id
rbac_roles	Roles list	name	text	Role name
rbac_security_level_groups	Default groups to assign when an account is set gm level	secId	int	Security Level id
rbac_security_level_groups	Default groups to assign when an account is set gm level	groupId	int	Group id