A Role-Based Access Control (RBAC) engine implemented in Java.
Designed for systems that require clear separation of duties, explicit permission control, runtime configuration, and auditable authorization logic.
Extracted from XQRiskCore, this module functions as a standalone policy enforcement layer.
This system does not handle authentication.
Identity verification must be performed upstream.
This module focuses exclusively on authorization:
- Resolve user → role
- Resolve role → permissions
- Validate whether a requested action is allowed
All decisions are configuration-driven.
- Strict role isolation
- Explicit permission grants only
- No implicit inheritance
- External YAML configuration
- Runtime reload capability
- Deterministic permission validation
No permission logic is embedded in business code.
The following diagram outlines the runtime structure and permission validation flow.
┌────────────────────────────┐
│ RBACCli.java │
│────────────────────────────│
│ Prompts for user_id │
│ Prompts for permission_key │
└────────────┬───────────────┘
│ calls
▼
┌────────────────────────────┐
│ ContextBuilder │
│────────────────────────────│
│ buildUserContext(user_id) │
└────────────┬───────────────┘
│
┌───────────────┴────────────────────────────┐
│ │
▼ ▼
┌────────────────────────────┐ ┌────────────────────────────┐
│ UserRegistryManager │ │ PermissionsManager │
│────────────────────────────│ │────────────────────────────│
│ Loads: UserRegistry.yaml │ │ Loads: RolePermissions.yaml │
│ Resolves user → role │ │ Resolves role → permissions │
└────────────┬───────────────┘ └────────────┬────────────────┘
│ returns role │ returns perm set
└────────────┬───────────────┬────────┘
▼ ▼
┌──────────────────────────────────┐
│ UserContext │
│──────────────────────────────────│
│ user_id │
│ role │
│ permission_map (resolved perms) │
└───────────────┬──────────────────┘
│
┌─────────▼─────────┐
│ checkPermission() │
└─────────┬─────────┘
│
┌────────────▼────────────┐
│ PermissionsManager │
│ hasPermission(user, key) │
└────────────┬─────────────┘
│
▼
┌────────────────────────────────────────┐
│ PermissionsManager (internal logging) │
│────────────────────────────────────────│
│ logGrantChange(user, key, value, ts) │
└────────────────────────────────────────┘
(Admin Console Path: Grant / Revoke / Save / Reload)
┌────────────────────────────┐
│ AdminCommandConsole.java │
│────────────────────────────│
│ grant / revoke / reload │
└────────────┬───────────────┘
▼
┌────────────────────────────┐
│ PermissionsManager │
│────────────────────────────│
│ reload(), save() │
└────────────┬───────────────┘
▼
┌────────────────────────────┐
│ YamlLoader.java │
└────────────────────────────┘
rbac-java/
├── pom.xml
├── config/
│ ├── RolePermissions.yaml
│ └── UserRegistry.yaml
├── src/main/java/
│ ├── admin/
│ ├── cli/
│ ├── context/
│ ├── core/
│ ├── model/
│ ├── users/
│ └── utils/
└── src/test/java/admin:
- admin.manage_users
- admin.edit_asset_config
trader:
- trader.submit_manual_trade
- trader.view_portfolioalice:
role: admin
active: true
bob:
role: trader
active: truePermissions are enforced exactly as declared.
mvn clean compilemvn exec:java -Dexec.mainClass=cli.RBACCliMIT
Xiaoyu Qian
https://github.com/XiaoyuQian829