Skip to main content

Overview

Introduction

All users associated with a single Casdoor organization are shared between the organization's applications and therefore have access to the applications. To restrict users' access to certain applications, you can use Permission implemented by Casbin.

Inside a permission, the Sub users and Resources attributes are availabel to check which application the user is using for login. Also, it supports to config custom model to meet the diverse needs of users.

See the following example to get a clearer picture of Casdoor's permission control for application.

Permission for applications

Before using Permission, you need to create a Model which is abstracted into a CONF file based on the PERM metamodel. You can visit the Casbin documentation for more information. We recommend using the Casbin Online Editor to design the model and check the grammar.

Click the Models tab and add a new model. In the edit page, you can config custom model such as ACL model in the Model text.

[request_definition]
r = sub, obj, act

[policy_definition]
p = sub, obj, act

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = r.sub == p.sub && r.obj == p.obj && r.act == p.act

Click the Permissions tab and add a new permission. In the edit page, you need to select the model, adapter, sub users, resources and actions as below.

info

The Adapter field supports specifying the table name where the policies are stored. If this field is empty, the policies are storing in the permission_rule table. We strongly recommend specifying different Adapter for different models, becaues it's likely to cause conflicts for storing all policies in the same table.

After saving, the user test, seriouszyx and admin can login to the application app-built-in. The other users such as casdoortest cannot.