RBAC: Role based Access Control
RBAC gives more control over actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Permissions can have linked permissions (thus creating a role).
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied.
- An account can be assigned granted and denied permissions.
- An account can have multiple roles and permissions.
- An account can not have same permission or role granted and denied at same time.
- Id 0 can not be used to define a permission.
Permissions (default permissions)
See rbac_permissions table for complete listing of available permissions and associated id. This table is self-explanatory.
In-game commands
| Name | Syntax | Description |
|---|---|---|
| .rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
| .rbac account permission | Syntax: .rbac account list [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
| .rbac account grant | Syntax: .rbac account grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account deny | Syntax: .rbac account deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
| .rbac account revoke | Syntax: .rbac account revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
| .rbac list | Syntax: .rbac list | View list of all permissions. If $id is given will show only info for that permission. |
Related tables (`auth` database)
| Table Name | Table Description | Field Name | Field Type | Field Description |
|---|---|---|---|---|
| rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
| permissionId | int | Permission id | ||
| granted | int | Granted = 1, Denied = 0 | ||
| realmId | int | Realm Id, -1 means all | ||
| rbac_permissions | Permission List | id | int | Permission id |
| name | text | Permission name | ||
| rbac_default_permissions | Default permissions to assign to a specific security level (account_access) | secId | int | Security Level id |
| permissionId | int | Permission id | ||
| rbac_linked_permissions | Assigns permissions to roles (see rbac_permissions for permissions with name "role") Can also be used to link permissions to permissions (creating new roles) | id | int | Security Level id |
| linkedId | int | Permission id |
Suggestion
Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.
If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!