# RBAC Configuration for Rustelo Framework # This file defines access control rules for databases, files, and content [rbac] # Cache TTL in seconds (default: 300 = 5 minutes) cache_ttl_seconds = 300 # Default permissions for resource types when no specific rules match [rbac.default_permissions] Database = ["read_content"] File = ["read_file:public/*"] Content = ["read_content"] Api = [] # Category hierarchies - higher categories inherit lower category permissions [rbac.category_hierarchies] admin = ["editor", "viewer", "finance", "hr", "it"] editor = ["viewer"] finance = ["viewer"] hr = ["viewer"] it = ["admin"] # IT can access admin resources # Tag hierarchies - higher tags inherit lower tag permissions [rbac.tag_hierarchies] public = ["internal"] internal = ["confidential"] confidential = ["restricted"] # Access rules - evaluated in order of priority (higher numbers first) [[rbac.rules]] id = "admin_full_access" resource_type = "database" resource_name = "*" allowed_roles = ["admin"] allowed_permissions = [] required_categories = [] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 1000 [[rbac.rules]] id = "admin_all_files" resource_type = "file" resource_name = "*" allowed_roles = ["admin"] allowed_permissions = [] required_categories = ["admin"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 1000 [[rbac.rules]] id = "editor_content_access" resource_type = "content" resource_name = "*" allowed_roles = ["moderator"] allowed_permissions = ["write_content"] required_categories = ["editor"] required_tags = [] deny_categories = [] deny_tags = ["restricted"] is_active = true priority = 800 [[rbac.rules]] id = "editor_database_content" resource_type = "database" resource_name = "content*" allowed_roles = ["moderator"] allowed_permissions = ["write_database:content*"] required_categories = ["editor"] required_tags = [] deny_categories = [] deny_tags = ["restricted"] is_active = true priority = 800 [[rbac.rules]] id = "user_public_files" resource_type = "file" resource_name = "public/*" allowed_roles = ["user"] allowed_permissions = [] required_categories = [] required_tags = ["public"] deny_categories = [] deny_tags = [] is_active = true priority = 500 [[rbac.rules]] id = "user_uploads" resource_type = "file" resource_name = "uploads/user/*" allowed_roles = ["user"] allowed_permissions = ["write_file:uploads/user/*"] required_categories = [] required_tags = [] deny_categories = [] deny_tags = ["restricted"] is_active = true priority = 500 [[rbac.rules]] id = "finance_financial_data" resource_type = "database" resource_name = "finance*" allowed_roles = ["user"] allowed_permissions = ["read_database:finance*"] required_categories = ["finance"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 700 [[rbac.rules]] id = "finance_reports" resource_type = "file" resource_name = "reports/financial/*" allowed_roles = ["user"] allowed_permissions = ["read_file:reports/financial/*"] required_categories = ["finance"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 700 [[rbac.rules]] id = "hr_employee_data" resource_type = "database" resource_name = "hr*" allowed_roles = ["user"] allowed_permissions = ["read_database:hr*", "write_database:hr*"] required_categories = ["hr"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 700 [[rbac.rules]] id = "sensitive_data_restriction" resource_type = "database" resource_name = "*sensitive*" allowed_roles = ["admin"] allowed_permissions = [] required_categories = ["admin"] required_tags = ["sensitive"] deny_categories = [] deny_tags = [] is_active = true priority = 900 [[rbac.rules]] id = "confidential_files" resource_type = "file" resource_name = "*confidential*" allowed_roles = ["admin", "moderator"] allowed_permissions = [] required_categories = ["admin"] required_tags = ["confidential"] deny_categories = [] deny_tags = [] is_active = true priority = 900 [[rbac.rules]] id = "api_admin_endpoints" resource_type = "api" resource_name = "/api/admin/*" allowed_roles = ["admin"] allowed_permissions = ["manage_system"] required_categories = ["admin"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 1000 [[rbac.rules]] id = "api_user_endpoints" resource_type = "api" resource_name = "/api/user/*" allowed_roles = ["user"] allowed_permissions = [] required_categories = [] required_tags = [] deny_categories = [] deny_tags = ["restricted"] is_active = true priority = 500 [[rbac.rules]] id = "temporary_access_restriction" resource_type = "database" resource_name = "*" allowed_roles = ["user"] allowed_permissions = [] required_categories = [] required_tags = [] deny_categories = [] deny_tags = ["temporary"] is_active = true priority = 100 # Example rules for specific databases [[rbac.rules]] id = "analytics_db_read" resource_type = "database" resource_name = "analytics" allowed_roles = ["user"] allowed_permissions = ["read_database:analytics"] required_categories = ["viewer"] required_tags = ["internal"] deny_categories = [] deny_tags = [] is_active = true priority = 600 [[rbac.rules]] id = "user_db_write" resource_type = "database" resource_name = "users" allowed_roles = ["moderator"] allowed_permissions = ["write_database:users"] required_categories = ["editor"] required_tags = [] deny_categories = [] deny_tags = ["restricted"] is_active = true priority = 800 # Example rules for file directories [[rbac.rules]] id = "logs_directory_access" resource_type = "directory" resource_name = "/var/log/*" allowed_roles = ["admin"] allowed_permissions = [] required_categories = ["it"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 900 [[rbac.rules]] id = "backup_directory_access" resource_type = "directory" resource_name = "/backups/*" allowed_roles = ["admin"] allowed_permissions = [] required_categories = ["it"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 900 # Content-specific rules [[rbac.rules]] id = "blog_posts_write" resource_type = "content" resource_name = "blog/*" allowed_roles = ["moderator"] allowed_permissions = ["write_content"] required_categories = ["editor"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 700 [[rbac.rules]] id = "pages_write" resource_type = "content" resource_name = "pages/*" allowed_roles = ["moderator"] allowed_permissions = ["write_content"] required_categories = ["editor"] required_tags = [] deny_categories = [] deny_tags = [] is_active = true priority = 700 [[rbac.rules]] id = "guest_public_content" resource_type = "content" resource_name = "public/*" allowed_roles = ["guest"] allowed_permissions = [] required_categories = [] required_tags = ["public"] deny_categories = [] deny_tags = [] is_active = true priority = 300