RBAC: Role based Access Control
RBAC gives more control over actions an account can perform
System defines
- Permissions to perform some action
- Roles: a set of permissions that have some relation
Operations
- Grant: Assign and allow
- Deny: Assign and do not allow
- Revoke: Remove
Precedence of operations
- Grant
- Deny
If you are granted some action by a role but you have denied that permission, the action can not be done.
Rules
- Permissions can have linked permissions (thus creating a role).
- An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied.
- An account can be assigned granted and denied permissions.
- An account can have multiple roles and permissions.
- An account can not have same permission or role granted and denied at same time.
- Id 0 can not be used to define a permission.
Permissions (default permissions)
See rbac_permissions table for complete listing of available permissions and associated id. This table is self-explanatory.
In-game commands
Name | Syntax | Description |
---|---|---|
.rbac account | Syntax: .rbac account [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Shows real permissions after checking group and roles |
.rbac account permission | Syntax: .rbac account list [$account] | View permissions of selected player or given account Note: Only those that affect current realm Note: Only those directly granted or denied, does not include inherited permissions from roles |
.rbac account grant | Syntax: .rbac account grant [$account] #id [#realmId] | Grant a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account deny | Syntax: .rbac account deny [$account] #id [#realmId] | Deny a permission to selected player or given account. #reamID may be -1 for all realms. |
.rbac account revoke | Syntax: .rbac account revoke [$account] #id | Remove a permission from an account Note: Removes the permission from granted or denied permissions |
.rbac list | Syntax: .rbac list | View list of all permissions. If $id is given will show only info for that permission. |
Related tables (`auth` database)
Table Name | Table Description | Field Name | Field Type | Field Description |
---|---|---|---|---|
rbac_account_permissions | Account-Permission relation | accountId | int | Account id |
permissionId | int | Permission id | ||
granted | int | Granted = 1, Denied = 0 | ||
realmId | int | Realm Id, -1 means all | ||
rbac_permissions | Permission List | id | int | Permission id |
name | text | Permission name | ||
rbac_default_permissions | Default permissions to assign to a specific security level (account_access) | secId | int | Security Level id |
permissionId | int | Permission id | ||
rbac_linked_permissions | Assigns permissions to roles (see rbac_permissions for permissions with name "role") Can also be used to link permissions to permissions (creating new roles) | id | int | Security Level id |
linkedId | int | Permission id |
Suggestion
Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.
If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!