In today's complex application systems, access control remains a critical concern. This guide will help you understand Casbin's configuration system through practical examples of different access control models.
I. Casbin Core Concepts
1.1 Access Control Model Comparison
Model Type |
Suitable Scale |
Management Complexity |
Flexibility |
Performance |
Typical Use Case |
ACL |
Small Projects |
Low |
Low |
High |
Personal Blog Systems |
RBAC |
Medium Projects |
Medium |
Medium |
Medium |
Enterprise Management |
ABAC |
Large Projects |
High |
High |
Medium |
Financial Applications |
Domain RBAC |
Multi-tenant |
High |
High |
Medium |
SaaS Platforms |
1.2 Core Configuration Files
File |
Purpose |
Format |
Required |
model.conf |
Define access control model |
CONF |
✅ |
policy.csv |
Store permission rules |
CSV |
✅ |
rbac_model.conf |
RBAC specific model |
CONF |
❌ |
custom_function.go |
Custom matching functions |
Go |
❌ |
II. ACL Model Configuration
2.1 Basic Model Configuration
# acl_model.conf - Basic ACL model configuration
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.sub == p.sub && r.obj == p.obj && regexMatch(r.act, p.act)
2.2 ACL Policy Configuration Example
# acl_policy.csv - Permission rules configuration
# Format: p, subject, object, action
p, alice, /data1, GET
p, alice, /data1, POST
p, bob, /data2, GET
p, bob, /data2, POST
2.3 ACL Permission Decision Matrix
User |
Resource Path |
Request Method |
Allowed |
Reason |
alice |
/data1 |
GET |
✅ |
Explicitly allowed |
alice |
/data2 |
GET |
❌ |
No permission |
bob |
/data2 |
GET |
✅ |
Explicitly allowed |
bob |
/data1 |
POST |
❌ |
No permission |
III. RBAC Model Configuration
3.1 RBAC Model Configuration
# rbac_model.conf - RBAC model configuration
[request_definition]
r = sub, obj, act
[policy_definition]
p = sub, obj, act
[role_definition]
g = _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
3.2 RBAC Policy Configuration
# rbac_policy.csv - Role permission configuration
# Role definitions
p, admin, /*, GET|POST|PUT|DELETE
p, developer, /projects/*, GET|POST
p, viewer, /projects/*, GET
# User role mappings
g, alice, admin
g, bob, developer
g, charlie, viewer
3.3 RBAC Role Permission Matrix
Role |
Resource Scope |
GET |
POST |
PUT |
DELETE |
admin |
/* |
✅ |
✅ |
✅ |
✅ |
developer |
/projects/* |
✅ |
✅ |
❌ |
❌ |
viewer |
/projects/* |
✅ |
❌ |
❌ |
❌ |
IV. ABAC Model Configuration
4.1 ABAC Model Configuration
# abac_model.conf - ABAC model configuration
[request_definition]
r = sub, obj, act, dept
[policy_definition]
p = sub, obj, act, dept
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = r.dept == p.dept && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
4.2 ABAC Policy Configuration
# abac_policy.csv - Attribute-based permission rules
# Format: p, role, resource, action, department
p, employee, /reports, GET|POST, sales
p, manager, /reports, GET|POST|DELETE, sales
p, employee, /reports, GET|POST, engineering
p, manager, /reports, GET|POST|DELETE, engineering
4.3 ABAC Permission Evaluation Matrix
User Role |
Department |
Report Action |
Allowed |
Condition |
employee |
sales |
GET report |
✅ |
Department match |
manager |
sales |
DELETE report |
✅ |
Role permission |
employee |
marketing |
GET report |
❌ |
Department mismatch |
V. Domain RBAC Configuration
5.1 Domain RBAC Model Configuration
# domain_rbac_model.conf
[request_definition]
r = sub, dom, obj, act
[policy_definition]
p = sub, dom, obj, act
[role_definition]
g = _, _, _
[policy_effect]
e = some(where (p.eft == allow))
[matchers]
m = g(r.sub, p.sub, r.dom) && keyMatch(r.obj, p.obj) && regexMatch(r.act, p.act)
5.2 Domain RBAC Policy Configuration
# domain_rbac_policy.csv
# Tenant A permissions
p, admin, tenantA, /data/*, GET|POST|PUT|DELETE
p, user, tenantA, /data/*, GET|POST
# Tenant B permissions
p, admin, tenantB, /data/*, GET|POST|PUT|DELETE
p, user, tenantB, /data/*, GET
# User role mappings
g, alice, admin, tenantA
g, bob, user, tenantA
g, charlie, admin, tenantB
5.3 Multi-tenant Permission Matrix
Tenant |
User |
Role |
Resource Scope |
GET |
POST |
PUT |
DELETE |
tenantA |
alice |
admin |
/data/* |
✅ |
✅ |
✅ |
✅ |
tenantA |
bob |
user |
/data/* |
✅ |
✅ |
❌ |
❌ |
tenantB |
charlie |
admin |
/data/* |
✅ |
✅ |
✅ |
✅ |
6.1 Cache Configuration Parameters
Parameter |
Description |
Default |
Recommended |
enableCache |
Enable caching |
No |
✅ |
cacheCapacity |
Cache capacity |
10000 |
Based on memory |
cacheTTL |
Cache TTL |
24h |
Based on needs |
6.2 Optimization Impact Comparison
Optimization |
Before QPS |
After QPS |
Improvement |
Memory Impact |
Enable cache |
5000 |
15000 |
200% |
+50MB |
Batch policy loading |
2000 |
8000 |
300% |
+20MB |
Async policy update |
3000 |
9000 |
200% |
+10MB |
VII. Common Issues and Solutions
7.1 Configuration Troubleshooting Guide
Issue |
Possible Cause |
Solution |
Prevention |
Permission check failure |
Model config error |
Check matcher syntax |
Unit testing |
Performance degradation |
Too many policies |
Enable caching |
Monitoring |
Rule conflicts |
Duplicate policies |
Clean redundant rules |
Rule auditing |
Optimization Area |
Measures |
Difficulty |
Impact |
Cache optimization |
Adjust cache params |
Low |
Significant |
Policy optimization |
Merge similar rules |
Medium |
Moderate |
Model optimization |
Simplify matchers |
High |
Significant |
VIII. Best Practices
8.1 Model Selection Guide
System Characteristic |
Recommended Model |
Reason |
Considerations |
Users < 100 |
ACL |
Simple, direct |
Maintenance cost |
Users < 1000 |
RBAC |
Role management |
Role design |
Complex business rules |
ABAC |
Flexible control |
Performance impact |
Multi-tenant architecture |
Domain RBAC |
Tenant isolation |
Config complexity |
8.2 Operations Management Recommendations
Operation |
Frequency |
Priority |
Implementation |
Config backup |
Daily |
High |
Automated backup |
Performance monitoring |
Real-time |
High |
Alerts system |
Rule auditing |
Weekly |
Medium |
Manual review |
Load testing |
Monthly |
Medium |
Automated tests |
References
- Casbin Official Documentation
- Enterprise Permission System Design
- Microservice Security Architecture Practices
Don't forget to star and share if you found this guide helpful!