blob: 536df16c803f11ac5abf46dc45629c3708642c3a [file] [view]
---
id: rbac-with-domains
title: RBAC with Domains
---
## Role definition with domains tenants
The RBAC roles in Casbin can be global or domain-specific. Domain-specify roles mean that the roles for a user can be different when the user is at different domains/tenants. This is very useful for large systems like a cloud, as the users are usually in different tenants.
The role definition with domains/tenants should be something like:
```ini
[role_definition]
g = _, _, _
```
The 3rd ``_`` means the name of domain/tenant, this part should not be changed. Then the policy can be:
```
p, admin, tenant1, data1, read
p, admin, tenant2, data2, read
g, alice, admin, tenant1
g, alice, user, tenant2
```
It means ``admin`` role in ``tenant1`` can read ``data1``. And ``alice`` has ``admin`` role in ``tenant1``, and has ``user`` role in ``tenant2``. So she can read ``data1``. However, since ``alice`` is not an ``admin`` in ``tenant2``, she cannot read ``data2``.
Then in a matcher, you should check the role as below:
```ini
[matchers]
m = g(r.sub, p.sub, r.dom) && r.dom == p.dom && r.obj == p.obj && r.act == p.act
```
Please see the [rbac_with_domains_model.conf](https://github.com/casbin/casbin/blob/master/examples/rbac_with_domains_model.conf) for examples.