I’m attempting to figure out how to discover if a user has the ability to perform a specific action on an object in any of my domains. Here’s basically what I’m working with:

config

[request_definition]
r = sub, dom, obj, act

[policy_definition]
p = sub, dom, obj, act

[role_definition]
g = _, _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub, r.dom) && r.obj == p.obj && r.act == p.act

policies

p, admin, tenant1, data1, read
p, admin, tenant1, data1, write
p, admin, tenant1, data2, read
p, admin, tenant1, data2, write
p, user, tenant1, data1, read
p, user, tenant1, data2, read

p, admin, tenant2, data1, read
p, admin, tenant2, data1, write
p, admin, tenant2, data2, read
p, admin, tenant2, data2, write
p, user, tenant2, data1, read
p, user, tenant2, data2, read

g, alice, admin, tenant1
g, bob, user, tenant2

I want to check if Alice has the write action on data1 for any domain. What is the best way to do this?

I can do an enforce and supply a domain to check if the user has data1 write access, but I can’t do it for all domains at once.

I have attempted to add a custom domain matching function using the following code, but the wildCardDomainMatch doesn’t seem to ever be called.

initialization

    this._permissionEnforcer = await newEnforcer(this._model, this._adapter);
    const rm = new DefaultRoleManager(10);
    await rm.addDomainMatchingFunc(this.wildCardDomainMatch);
    await this._permissionEnforcer.setRoleManager(rm);
    await this._permissionEnforcer.loadPolicy();

Domain Match Function

private wildCardDomainMatch = (requestDomain: string, policyDomain: string): boolean => {
  if (requestDomain === "*") {
      return true;
  }

  return requestDomain === policyDomain;
};