RBAC gives more control of actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
- Groups: a set of roles that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Groups can only have roles
- Roles can only have permissions
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied
- An account can be assigned granted and denied permissions
- An account can have multiple groups, roles and permissions
- An account can not have same role granted and denied at same time
- An account can not have same permission granted and denied at same time
- Id 0 can not be used to define a group, role or permission
Permissions (default permissions)
Id | Name | Description |
---|---|---|
1 | RBAC_PERM_INSTANT_LOGOUT | Instantly logging out everywhere. Does not work while in combat, dueling or falling. |
2 | RBAC_PERM_SKIP_QUEUE | Skip login queue. |
3 | RBAC_PERM_JOIN_NORMAL_BG | Allow joining normal battlegrounds. |
4 | RBAC_PERM_JOIN_RANDOM_BG | Allow joining random battlegrounds. |
5 | RBAC_PERM_JOIN_ARENAS | Allow joining arenas. |
6 | RBAC_PERM_JOIN_DUNGEON_FINDER | Allow joining dungeon finder (LFD, LFG). |
7 | RBAC_PERM_PLAYER_COMMANDS | Allow the use of player commands. (Security level 0) (TEMP) |
8 | RBAC_PERM_MODERATOR_COMMANDS | Allow the use of moderator commands. (Security level 1) (TEMP) |
9 | RBAC_PERM_GAMEMASTER_COMMANDS | Allow the use of game-master commands. (Security level 2) (TEMP) |
10 | RBAC_PERM_ADMINISTRATOR_COMMANDS | Allow the use of administrator commands. (Security level 3) (TEMP) |
11 | RBAC_PERM_LOG_GM_TRADE | Log GM trades |
12 | free | |
13 | RBAC_PERM_SKIP_CHECK_INSTANCE_REQUIRED_BOSSES | Skip Instance required bosses check |
14 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_TEAMMASK | Skips character creation team mask check |
15 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_CLASSMASK | Skips character creation class mask check |
16 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_RACEMASK | Skips character creation race mask check |
17 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_RESERVEDNAME | Skips character creation reserved name check |
18 | RBAC_PERM_SKIP_CHECK_CHARACTER_CREATION_HEROIC_CHARACTER | Skips character creation heroic min level check |
19 | RBAC_PERM_SKIP_CHECK_CHAT_CHANNEL_REQ | Skips needed requirements to use channel check |
20 | RBAC_PERM_SKIP_CHECK_DISABLE_MAP | Skip disable map check |
21 | RBAC_PERM_SKIP_CHECK_MORE_TALENTS_THAN_ALLOWED | Skip reset talents when used more than allowed check |
22 | RBAC_PERM_SKIP_CHECK_CHAT_SPAM | Skip spam chat check |
23 | RBAC_PERM_SKIP_CHECK_OVERSPEED_PING | Skip over-speed ping check |
24 | RBAC_PERM_TWO_SIDE_CHARACTER_CREATION | Creation of two side faction characters in same account |
25 | RBAC_PERM_TWO_SIDE_INTERACTION_CHAT | Allow say chat between factions |
26 | RBAC_PERM_TWO_SIDE_INTERACTION_CHANNEL | Allow channel chat between factions |
27 | RBAC_PERM_TWO_SIDE_INTERACTION_MAIL | Two side mail interaction |
28 | RBAC_PERM_TWO_SIDE_WHO_LIST | See two side who list |
29 | RBAC_PERM_TWO_SIDE_ADD_FRIEND | Add friends of other faction |
30 | RBAC_PERM_COMMANDS_SAVE_WITHOUT_DELAY | Save character without delay with .save command |
31 | RBAC_PERM_COMMANDS_USE_UNSTUCK_WITH_ARGS | Use params with .unstuck command |
32 | RBAC_PERM_COMMANDS_BE_ASSIGNED_TICKET | Can be assigned tickets with .assign ticket command |
33 | RBAC_PERM_COMMANDS_NOTIFY_COMMAND_NOT_FOUND_ERROR | Notify if a command was not found |
34 | RBAC_PERM_COMMANDS_APPEAR_IN_GM_LIST | Check if should appear in list using .gm ingame command |
35 | RBAC_PERM_WHO_SEE_ALL_SEC_LEVELS | See all security levels with who command |
36 | RBAC_PERM_CAN_FILTER_WHISPERS | Filter whispers |
37 | RBAC_PERM_CHAT_USE_STAFF_BADGE | Use staff badge in chat |
38 | RBAC_PERM_RESURRECT_WITH_FULL_HPS | Resurrect with full Health Points |
39 | RBAC_PERM_RESTORE_SAVED_GM_STATE | Restore saved gm setting states |
40 | RBAC_PERM_ALLOW_GM_FRIEND | Allows to add a gm to friend list |
41 | RBAC_PERM_USE_START_GM_LEVEL | Use Config option START_GM_LEVEL to assign new character level |
42 | RBAC_PERM_OPCODE_WORLD_TELEPORT | Allows to use CMSG_WORLD_TELEPORT opcode |
43 | RBAC_PERM_OPCODE_WHOIS | Allows to use CMSG_WHOIS opcode |
44 | RBAC_PERM_RECEIVE_GLOBAL_GM_TEXTMESSAGE | Receive global GM messages/texts |
45 | RBAC_PERM_SILENTLY_JOIN_CHANNEL | Join channels without announce |
46 | RBAC_PERM_CHANGE_CHANNEL_NOT_MODERATOR | Change channel settings without being channel moderator |
47 | RBAC_PERM_CHECK_FOR_LOWER_SECURITY | Enables lower security than target check |
In-game commands
Name | Syntax | Description |
---|---|---|
.rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
.rbac account group | Syntax: .rbac account group [$account] | View groups of selected player or given account Note: Only those that affect current realm |
.rbac account group add | Syntax: .rbac account group add [$account] #id [#realmId] | Add a group to selected player or given account. #reamID may be -1 for all realms. |
.rbac account group remove | Syntax: .rbac account group remove [$account] #id | Remove a group from selected player or given account. |
.rbac account role | Syntax: .rbac account role [$account] | View roles of selected player or given account Note: Only those that affect current real Note: Only those directly granted or denied, does not include inherited roles from groups |
.rbac account role grant | Syntax: .rbac account role grant [$account] #id [#realmId] | Grant a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role deny | Syntax: .rbac account role deny [$account] #id [#realmId] | Deny a role to selected player or given account. #reamID may be -1 for all realms. |
.rbac account role revoke | Syntax: .rbac account role revoke [$account] #id | Remove a role from an account Note: Removes the role from granted or denied roles |
.rbac account permission | Syntax: .rbac account permission [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
.rbac account permission grant | Syntax: .rbac account permission grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission deny | Syntax: .rbac account permission deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account permission revoke | Syntax: .rbac account permission revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
.rbac list groups | Syntax: .rbac list groups [$id] | View list of all groups. If $id is given will show group info and his inherited roles. |
.rbac list roles | Syntax: .rbac list roles [$id] | View list of all roles. If $id is given will show role info and his inherited permissions. |
.rbac list permissions | Syntax: .rbac list permissions [$id] | View list of all permissions. If $id is given will show only info for that permission. |
Commands are not (yet) covered by RBAC (allowing, denying and revoking specific commands to roles and groups)
Related tables (`auth` database)
Table Name | Table Description | Field Name | Field Type | Field Description |
---|---|---|---|---|
rbac_account_groups | Account-Group relation | accountId | int | Account id |
groupId | int | Group id | ||
realmId | int | Realm Id, -1 means all | ||
rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
permissionId | int | Permission id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_account_roles | Account-Role relation | accountId | int | Account id |
roleId | int | Role id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_group_roles | Group-Role relation | groupId | int | Group id |
roleId | int | Role id | ||
rbac_role_permissions | Role-Permission relation | roleId | int | Role id |
permissionId | int | Permission id | ||
rbac_groups | Group List | id | int | Group id |
name | text | Group name | ||
rbac_permissions | Permission List | id | int | Permission id |
name | text | Permission name | ||
rbac_roles | Roles list | id | int | Role id |
name | text | Role name | ||
rbac_security_level_groups | Default groups to assign when an account is set gm level | secId | int | Security Level id |
groupId | int | Group id |
Suggestion
Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.
If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!