Rustelo/config/features/rbac.toml

# RBAC Configuration for Rustelo Framework
# This file defines access control rules for databases, files, and content

[rbac]
# Cache TTL in seconds (default: 300 = 5 minutes)
cache_ttl_seconds = 300

# Default permissions for resource types when no specific rules match
[rbac.default_permissions]
Database = ["read_content"]
File = ["read_file:public/*"]
Content = ["read_content"]
Api = []

# Category hierarchies - higher categories inherit lower category permissions
[rbac.category_hierarchies]
admin = ["editor", "viewer", "finance", "hr", "it"]
editor = ["viewer"]
finance = ["viewer"]
hr = ["viewer"]
it = ["admin"]  # IT can access admin resources

# Tag hierarchies - higher tags inherit lower tag permissions
[rbac.tag_hierarchies]
public = ["internal"]
internal = ["confidential"]
confidential = ["restricted"]

# Access rules - evaluated in order of priority (higher numbers first)
[[rbac.rules]]
id = "admin_full_access"
resource_type = "database"
resource_name = "*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000

[[rbac.rules]]
id = "admin_all_files"
resource_type = "file"
resource_name = "*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000

[[rbac.rules]]
id = "editor_content_access"
resource_type = "content"
resource_name = "*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800

[[rbac.rules]]
id = "editor_database_content"
resource_type = "database"
resource_name = "content*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_database:content*"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800

[[rbac.rules]]
id = "user_public_files"
resource_type = "file"
resource_name = "public/*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = ["public"]
deny_categories = []
deny_tags = []
is_active = true
priority = 500

[[rbac.rules]]
id = "user_uploads"
resource_type = "file"
resource_name = "uploads/user/*"
allowed_roles = ["user"]
allowed_permissions = ["write_file:uploads/user/*"]
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 500

[[rbac.rules]]
id = "finance_financial_data"
resource_type = "database"
resource_name = "finance*"
allowed_roles = ["user"]
allowed_permissions = ["read_database:finance*"]
required_categories = ["finance"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700

[[rbac.rules]]
id = "finance_reports"
resource_type = "file"
resource_name = "reports/financial/*"
allowed_roles = ["user"]
allowed_permissions = ["read_file:reports/financial/*"]
required_categories = ["finance"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700

[[rbac.rules]]
id = "hr_employee_data"
resource_type = "database"
resource_name = "hr*"
allowed_roles = ["user"]
allowed_permissions = ["read_database:hr*", "write_database:hr*"]
required_categories = ["hr"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700

[[rbac.rules]]
id = "sensitive_data_restriction"
resource_type = "database"
resource_name = "*sensitive*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = ["sensitive"]
deny_categories = []
deny_tags = []
is_active = true
priority = 900

[[rbac.rules]]
id = "confidential_files"
resource_type = "file"
resource_name = "*confidential*"
allowed_roles = ["admin", "moderator"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = ["confidential"]
deny_categories = []
deny_tags = []
is_active = true
priority = 900

[[rbac.rules]]
id = "api_admin_endpoints"
resource_type = "api"
resource_name = "/api/admin/*"
allowed_roles = ["admin"]
allowed_permissions = ["manage_system"]
required_categories = ["admin"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000

[[rbac.rules]]
id = "api_user_endpoints"
resource_type = "api"
resource_name = "/api/user/*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 500

[[rbac.rules]]
id = "temporary_access_restriction"
resource_type = "database"
resource_name = "*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["temporary"]
is_active = true
priority = 100

# Example rules for specific databases
[[rbac.rules]]
id = "analytics_db_read"
resource_type = "database"
resource_name = "analytics"
allowed_roles = ["user"]
allowed_permissions = ["read_database:analytics"]
required_categories = ["viewer"]
required_tags = ["internal"]
deny_categories = []
deny_tags = []
is_active = true
priority = 600

[[rbac.rules]]
id = "user_db_write"
resource_type = "database"
resource_name = "users"
allowed_roles = ["moderator"]
allowed_permissions = ["write_database:users"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800

# Example rules for file directories
[[rbac.rules]]
id = "logs_directory_access"
resource_type = "directory"
resource_name = "/var/log/*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["it"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 900

[[rbac.rules]]
id = "backup_directory_access"
resource_type = "directory"
resource_name = "/backups/*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["it"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 900

# Content-specific rules
[[rbac.rules]]
id = "blog_posts_write"
resource_type = "content"
resource_name = "blog/*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700

[[rbac.rules]]
id = "pages_write"
resource_type = "content"
resource_name = "pages/*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700

[[rbac.rules]]
id = "guest_public_content"
resource_type = "content"
resource_name = "public/*"
allowed_roles = ["guest"]
allowed_permissions = []
required_categories = []
required_tags = ["public"]
deny_categories = []
deny_tags = []
is_active = true
priority = 300
chore: add config path 2025-07-07 23:13:01 +01:00			`# RBAC Configuration for Rustelo Framework`
			`# This file defines access control rules for databases, files, and content`

			`[rbac]`
			`# Cache TTL in seconds (default: 300 = 5 minutes)`
			`cache_ttl_seconds = 300`

			`# Default permissions for resource types when no specific rules match`
			`[rbac.default_permissions]`
			`Database = ["read_content"]`
			`File = ["read_file:public/*"]`
			`Content = ["read_content"]`
			`Api = []`

			`# Category hierarchies - higher categories inherit lower category permissions`
			`[rbac.category_hierarchies]`
			`admin = ["editor", "viewer", "finance", "hr", "it"]`
			`editor = ["viewer"]`
			`finance = ["viewer"]`
			`hr = ["viewer"]`
			`it = ["admin"] # IT can access admin resources`

			`# Tag hierarchies - higher tags inherit lower tag permissions`
			`[rbac.tag_hierarchies]`
			`public = ["internal"]`
			`internal = ["confidential"]`
			`confidential = ["restricted"]`

			`# Access rules - evaluated in order of priority (higher numbers first)`
			`[[rbac.rules]]`
			`id = "admin_full_access"`
			`resource_type = "database"`
			`resource_name = "*"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = []`
			`required_categories = []`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 1000`

			`[[rbac.rules]]`
			`id = "admin_all_files"`
			`resource_type = "file"`
			`resource_name = "*"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = []`
			`required_categories = ["admin"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 1000`

			`[[rbac.rules]]`
			`id = "editor_content_access"`
			`resource_type = "content"`
			`resource_name = "*"`
			`allowed_roles = ["moderator"]`
			`allowed_permissions = ["write_content"]`
			`required_categories = ["editor"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["restricted"]`
			`is_active = true`
			`priority = 800`

			`[[rbac.rules]]`
			`id = "editor_database_content"`
			`resource_type = "database"`
			`resource_name = "content*"`
			`allowed_roles = ["moderator"]`
			`allowed_permissions = ["write_database:content*"]`
			`required_categories = ["editor"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["restricted"]`
			`is_active = true`
			`priority = 800`

			`[[rbac.rules]]`
			`id = "user_public_files"`
			`resource_type = "file"`
			`resource_name = "public/*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = []`
			`required_categories = []`
			`required_tags = ["public"]`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 500`

			`[[rbac.rules]]`
			`id = "user_uploads"`
			`resource_type = "file"`
			`resource_name = "uploads/user/*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = ["write_file:uploads/user/*"]`
			`required_categories = []`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["restricted"]`
			`is_active = true`
			`priority = 500`

			`[[rbac.rules]]`
			`id = "finance_financial_data"`
			`resource_type = "database"`
			`resource_name = "finance*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = ["read_database:finance*"]`
			`required_categories = ["finance"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 700`

			`[[rbac.rules]]`
			`id = "finance_reports"`
			`resource_type = "file"`
			`resource_name = "reports/financial/*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = ["read_file:reports/financial/*"]`
			`required_categories = ["finance"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 700`

			`[[rbac.rules]]`
			`id = "hr_employee_data"`
			`resource_type = "database"`
			`resource_name = "hr*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = ["read_database:hr", "write_database:hr"]`
			`required_categories = ["hr"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 700`

			`[[rbac.rules]]`
			`id = "sensitive_data_restriction"`
			`resource_type = "database"`
			`resource_name = "sensitive"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = []`
			`required_categories = ["admin"]`
			`required_tags = ["sensitive"]`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 900`

			`[[rbac.rules]]`
			`id = "confidential_files"`
			`resource_type = "file"`
			`resource_name = "confidential"`
			`allowed_roles = ["admin", "moderator"]`
			`allowed_permissions = []`
			`required_categories = ["admin"]`
			`required_tags = ["confidential"]`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 900`

			`[[rbac.rules]]`
			`id = "api_admin_endpoints"`
			`resource_type = "api"`
			`resource_name = "/api/admin/*"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = ["manage_system"]`
			`required_categories = ["admin"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 1000`

			`[[rbac.rules]]`
			`id = "api_user_endpoints"`
			`resource_type = "api"`
			`resource_name = "/api/user/*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = []`
			`required_categories = []`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["restricted"]`
			`is_active = true`
			`priority = 500`

			`[[rbac.rules]]`
			`id = "temporary_access_restriction"`
			`resource_type = "database"`
			`resource_name = "*"`
			`allowed_roles = ["user"]`
			`allowed_permissions = []`
			`required_categories = []`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["temporary"]`
			`is_active = true`
			`priority = 100`

			`# Example rules for specific databases`
			`[[rbac.rules]]`
			`id = "analytics_db_read"`
			`resource_type = "database"`
			`resource_name = "analytics"`
			`allowed_roles = ["user"]`
			`allowed_permissions = ["read_database:analytics"]`
			`required_categories = ["viewer"]`
			`required_tags = ["internal"]`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 600`

			`[[rbac.rules]]`
			`id = "user_db_write"`
			`resource_type = "database"`
			`resource_name = "users"`
			`allowed_roles = ["moderator"]`
			`allowed_permissions = ["write_database:users"]`
			`required_categories = ["editor"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = ["restricted"]`
			`is_active = true`
			`priority = 800`

			`# Example rules for file directories`
			`[[rbac.rules]]`
			`id = "logs_directory_access"`
			`resource_type = "directory"`
			`resource_name = "/var/log/*"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = []`
			`required_categories = ["it"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 900`

			`[[rbac.rules]]`
			`id = "backup_directory_access"`
			`resource_type = "directory"`
			`resource_name = "/backups/*"`
			`allowed_roles = ["admin"]`
			`allowed_permissions = []`
			`required_categories = ["it"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 900`

			`# Content-specific rules`
			`[[rbac.rules]]`
			`id = "blog_posts_write"`
			`resource_type = "content"`
			`resource_name = "blog/*"`
			`allowed_roles = ["moderator"]`
			`allowed_permissions = ["write_content"]`
			`required_categories = ["editor"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 700`

			`[[rbac.rules]]`
			`id = "pages_write"`
			`resource_type = "content"`
			`resource_name = "pages/*"`
			`allowed_roles = ["moderator"]`
			`allowed_permissions = ["write_content"]`
			`required_categories = ["editor"]`
			`required_tags = []`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 700`

			`[[rbac.rules]]`
			`id = "guest_public_content"`
			`resource_type = "content"`
			`resource_name = "public/*"`
			`allowed_roles = ["guest"]`
			`allowed_permissions = []`
			`required_categories = []`
			`required_tags = ["public"]`
			`deny_categories = []`
			`deny_tags = []`
			`is_active = true`
			`priority = 300`