Add RBAC with resource-scoped role assignments

[Copilot]

Enables Azure RBAC-like scoped role assignments where users with the same role only access their assigned resources. Without scoping, assigning reader to multiple users grants them identical access to all resources the role permits.

Solution

Leverage existing 3-parameter grouping (g = _, _, _) with resource as the third parameter:

// Before: Both users get access to all resources reader can access
p, reader, resource1, read
p, reader, resource2, read
g, user1, reader
g, user2, reader

// After: Each user scoped to specific resource
p, reader, resource1, read
p, reader, resource2, read
g, user1, reader, resource1  // user1 → resource1 only
g, user2, reader, resource2  // user2 → resource2 only

Model matcher:

[role_definition]
g = _, _, _

[matchers]
m = g(r.sub, p.sub, r.obj) && r.obj == p.obj && r.act == p.act

Multi-tenant variant using concatenated scope:

m = g(r.sub, p.sub, r.tenant + "::" + r.obj) && r.tenant == p.tenant && r.obj == p.obj && r.act == p.act

Changes

• Examples: Model/policy pairs for simple and multi-tenant resource scoping

  • rbac_with_resource_scope_model.conf + rbac_with_resource_scope_policy.csv
  • rbac_with_resource_scope_tenant_model.conf + rbac_with_resource_scope_tenant_policy.csv

• Tests: rbac_api_with_resource_scope_test.go covering simple, multi-tenant, and isolation scenarios

• Documentation: RBAC_WITH_RESOURCE_SCOPE.md with usage patterns and Azure RBAC comparison

• Demo: examples/rbac_with_resource_scope_demo.go

API Usage

Standard RBAC APIs work with scope as domain parameter:

e.GetRolesForUser("user1", "resource1")          // ["reader"]
e.AddRoleForUser("user3", "writer", "resource1") // scoped assignment
e.Enforce("user1", "resource1", "read")          // true
e.Enforce("user1", "resource2", "read")          // false - different scope

No core library changes required.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Casbin Rbac with Resource scope</issue_title>
<issue_description>@rahulsharma0525

Discussed in #1586

^{Originally posted by rahulsharma0525 November 20, 2025}
Hello Community

I am trying to implement an internal authz system for an internal product. It should support multitenancy because the product may expand as an external solution.

my scenario is role reuse with different scopes within same tenant

example:

user1 --> reader-> resource1-->tenant1
user2 --> reader-> resource2-->tenant1

How to I implement this in casbin. I am aware casbin supports Rbac but if I just follow the rbac model I cannot assign role without affecting user1 scope. In the below example because I assigned user2 reader role and if I need to access resource2 I will have to increase reader role scope which also increases scope for user1. How do I keep them independent and still reuse role. This is pretty much the model used in Azure Rbac.

p, reader1, tenant1, resource1, read
p, reader1, tenant1, resource2, read

g user1, reader
g user2, reader

Thanks
Rahul

</issue_description>

Comments on the Issue (you are @copilot in this section)

@hsluoyz @rahulsharma0525 see the code here: https://github.com//pull/1590

• Fixes Casbin Rbac with Resource scope #1589

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}