TrinityCore : RBAC: Role based Access Control

Created by nayd, last modified by guybrush on Oct 29, 2013

RBAC gives more control over actions an account can perform

[ System defines ] [ Operations ] [ Precedence of operations ] [ Rules ] [ Permissions (default permissions) ] [ In-game commands ]

System defines

  • Permissions to perform some action
  • Roles: a set of permissions that have some relation

Operations

  • Grant: Assign and allow
  • Deny: Assign and do not allow
  • Revoke: Remove

Precedence of operations

  1. Grant
  2. Deny

If you are granted some action by a role but you have denied that permission, the action can not be done.

Rules

  • Permissions can have linked permissions (thus creating a role).
  • An account can be assigned granted and denied roles. Permissions inherited from roles are granted if roles is granted and denied if roles is denied.
  • An account can be assigned granted and denied permissions.
  • An account can have multiple roles and permissions.
  • An account can not have same permission or role granted and denied at same time.
  • Id 0 can not be used to define a permission.

 

Permissions (default permissions)

See rbac_permissions table for complete listing of available permissions and associated id. This table is self-explanatory.

In-game commands

NameSyntaxDescription
.rbac accountSyntax: .rbac account [$account]

View permissions of selected player or given account

Note: Only those that affect current realm

Note: Shows real permissions after checking group and roles

.rbac account permissionSyntax: .rbac account list [$account]

View permissions of selected player or given account

Note: Only those that affect current realm

Note: Only those directly granted or denied, does not include inherited permissions from roles

.rbac account grantSyntax: .rbac account grant [$account] #id [#realmId]

Grant a permission to selected player or given account.

#reamID may be -1 for all realms.

.rbac account denySyntax: .rbac account deny [$account] #id [#realmId]

Deny a permission to selected player or given account.

#reamID may be -1 for all realms.

.rbac account revokeSyntax: .rbac account revoke [$account] #id

Remove a permission from an account

Note: Removes the permission from granted or denied permissions

.rbac listSyntax: .rbac list

View list of all permissions.

If $id is given will show only info for that permission.

 

Related tables (`auth` database)

Table NameTable DescriptionField NameField TypeField Description
rbac_account_permissionsAccount-Permission relationaccountIdintAccount id
permissionIdintPermission id
grantedintGranted = 1, Denied = 0
realmIdintRealm Id, -1 means all
rbac_permissionsPermission ListidintPermission id
nametextPermission name
rbac_default_permissionsDefault permissions to assign to a specific security level (account_access)secIdintSecurity Level id
permissionIdintPermission id
rbac_linked_permissions

Assigns permissions to roles (see rbac_permissions for permissions with name "role")

Can also be used to link permissions to permissions (creating new roles)

idintSecurity Level id
linkedIdintPermission id

 

 

Suggestion

Icon

Create a web interface (in PHP or other accessible web technology) to ease the management of the RBAC system.

If simple and good enough, it could possibly be added to TrinityCore repository (/contrib/ directory)!