RBAC Heirarchy

The examples in the docs about RBAC, I don’t know if it’s top down or bottom up inheritance.

The docs use Admin and Author as examples. I think it’s top down, Admin can edit Author articles, but Author can’t edit Admin articles - I think. That would mean Admin gets all of the permissions of Author, but not the other way around, right? Or an example of what I’m thinking of.

We have User, Author, Editor, Developer, Admin. So would User be the root?

Looking at the tree like this it would make sense, but if top level inherits the permissions of the decedents it does not.


|- Developer

|- Admin

  |- Editor

    |- Author

or would User be assigned separately altogether?


|- Editor

  |- Author



All are users and should get the User permissions. All Admins should also get Editor, and Author permissions, and obviously not all authors are editors. So the hierarchy is a little fuzzy to me in that regard.

I think it would be bottom up. From what I’ve researched (still confusing to me too) it seems that you make a “CanRead” action(?), and add it to the “User” role.

Then make "CanCreate, CanEditOwn" actions, then add "User" role and these two actions to the "Author" role.

Then make "CanEditAny, CanDeleteAny" action, then add "Author" role and these two actions to the "Admin" role.

Rereading your post, I would look at RBAC as inheritance:

Admin inherits Author inherits User.

Hope this helps.

Yes. You’re correct about example.

Not sure what you mean with top-down though. Traversing starts with permission you’re checking and goes up to role user assigned to.



Thanks! One question, though. An item can have more than one parent? Your example shows User is a descendant of 3 other items.