jesus/Rustelo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Rustelo/config/features/rbac.toml
Jesús Pérex 515c9343f4
Some checks failed
CI/CD Pipeline / Test Suite (push) Has been cancelled
Details
CI/CD Pipeline / Security Audit (push) Has been cancelled
Details
CI/CD Pipeline / Build Docker Image (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Staging (push) Has been cancelled
Details
CI/CD Pipeline / Deploy to Production (push) Has been cancelled
Details
CI/CD Pipeline / Performance Benchmarks (push) Has been cancelled
Details
CI/CD Pipeline / Cleanup (push) Has been cancelled
Details
chore: add config path
2025-07-07 23:13:01 +01:00

305 lines
6.8 KiB
TOML
Raw Blame History

# RBAC Configuration for Rustelo Framework
# This file defines access control rules for databases, files, and content
[rbac]
# Cache TTL in seconds (default: 300 = 5 minutes)
cache_ttl_seconds = 300
# Default permissions for resource types when no specific rules match
[rbac.default_permissions]
Database = ["read_content"]
File = ["read_file:public/*"]
Content = ["read_content"]
Api = []
# Category hierarchies - higher categories inherit lower category permissions
[rbac.category_hierarchies]
admin = ["editor", "viewer", "finance", "hr", "it"]
editor = ["viewer"]
finance = ["viewer"]
hr = ["viewer"]
it = ["admin"] # IT can access admin resources
# Tag hierarchies - higher tags inherit lower tag permissions
[rbac.tag_hierarchies]
public = ["internal"]
internal = ["confidential"]
confidential = ["restricted"]
# Access rules - evaluated in order of priority (higher numbers first)
[[rbac.rules]]
id = "admin_full_access"
resource_type = "database"
resource_name = "*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000
[[rbac.rules]]
id = "admin_all_files"
resource_type = "file"
resource_name = "*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000
[[rbac.rules]]
id = "editor_content_access"
resource_type = "content"
resource_name = "*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800
[[rbac.rules]]
id = "editor_database_content"
resource_type = "database"
resource_name = "content*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_database:content*"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800
[[rbac.rules]]
id = "user_public_files"
resource_type = "file"
resource_name = "public/*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = ["public"]
deny_categories = []
deny_tags = []
is_active = true
priority = 500
[[rbac.rules]]
id = "user_uploads"
resource_type = "file"
resource_name = "uploads/user/*"
allowed_roles = ["user"]
allowed_permissions = ["write_file:uploads/user/*"]
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 500
[[rbac.rules]]
id = "finance_financial_data"
resource_type = "database"
resource_name = "finance*"
allowed_roles = ["user"]
allowed_permissions = ["read_database:finance*"]
required_categories = ["finance"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700
[[rbac.rules]]
id = "finance_reports"
resource_type = "file"
resource_name = "reports/financial/*"
allowed_roles = ["user"]
allowed_permissions = ["read_file:reports/financial/*"]
required_categories = ["finance"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700
[[rbac.rules]]
id = "hr_employee_data"
resource_type = "database"
resource_name = "hr*"
allowed_roles = ["user"]
allowed_permissions = ["read_database:hr*", "write_database:hr*"]
required_categories = ["hr"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700
[[rbac.rules]]
id = "sensitive_data_restriction"
resource_type = "database"
resource_name = "*sensitive*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = ["sensitive"]
deny_categories = []
deny_tags = []
is_active = true
priority = 900
[[rbac.rules]]
id = "confidential_files"
resource_type = "file"
resource_name = "*confidential*"
allowed_roles = ["admin", "moderator"]
allowed_permissions = []
required_categories = ["admin"]
required_tags = ["confidential"]
deny_categories = []
deny_tags = []
is_active = true
priority = 900
[[rbac.rules]]
id = "api_admin_endpoints"
resource_type = "api"
resource_name = "/api/admin/*"
allowed_roles = ["admin"]
allowed_permissions = ["manage_system"]
required_categories = ["admin"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 1000
[[rbac.rules]]
id = "api_user_endpoints"
resource_type = "api"
resource_name = "/api/user/*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 500
[[rbac.rules]]
id = "temporary_access_restriction"
resource_type = "database"
resource_name = "*"
allowed_roles = ["user"]
allowed_permissions = []
required_categories = []
required_tags = []
deny_categories = []
deny_tags = ["temporary"]
is_active = true
priority = 100
# Example rules for specific databases
[[rbac.rules]]
id = "analytics_db_read"
resource_type = "database"
resource_name = "analytics"
allowed_roles = ["user"]
allowed_permissions = ["read_database:analytics"]
required_categories = ["viewer"]
required_tags = ["internal"]
deny_categories = []
deny_tags = []
is_active = true
priority = 600
[[rbac.rules]]
id = "user_db_write"
resource_type = "database"
resource_name = "users"
allowed_roles = ["moderator"]
allowed_permissions = ["write_database:users"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = ["restricted"]
is_active = true
priority = 800
# Example rules for file directories
[[rbac.rules]]
id = "logs_directory_access"
resource_type = "directory"
resource_name = "/var/log/*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["it"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 900
[[rbac.rules]]
id = "backup_directory_access"
resource_type = "directory"
resource_name = "/backups/*"
allowed_roles = ["admin"]
allowed_permissions = []
required_categories = ["it"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 900
# Content-specific rules
[[rbac.rules]]
id = "blog_posts_write"
resource_type = "content"
resource_name = "blog/*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700
[[rbac.rules]]
id = "pages_write"
resource_type = "content"
resource_name = "pages/*"
allowed_roles = ["moderator"]
allowed_permissions = ["write_content"]
required_categories = ["editor"]
required_tags = []
deny_categories = []
deny_tags = []
is_active = true
priority = 700
[[rbac.rules]]
id = "guest_public_content"
resource_type = "content"
resource_name = "public/*"
allowed_roles = ["guest"]
allowed_permissions = []
required_categories = []
required_tags = ["public"]
deny_categories = []
deny_tags = []
is_active = true
priority = 300
Reference in New Issue View Git Blame Copy Permalink