Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extend # in relation types to support permissions #1013

Open
UnguidedFreedom opened this issue Jan 17, 2024 · 0 comments
Open

Extend # in relation types to support permissions #1013

UnguidedFreedom opened this issue Jan 17, 2024 · 0 comments
Assignees
@EgeAytin @tolgaOzen
Labels
feature request New feature or request

Comments

@UnguidedFreedom
Copy link

UnguidedFreedom commented Jan 17, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
When defining the types of a relation, there are currently two options: an entity, or an entity's relation. Not having the ability to target an entity's permissions is quite limiting.

Example scenario: recursive ReBAC and indirect uses of it. I want to model nested groups as well as documents. Access to a document can be given to either a user or a group; and giving a group access should follow the inheritance of the group.

Let's say I have the following group structure:

  • group:Engineering
    • group:Hardware
      • group:Mechanical
      • group:Electronics
    • group:Software
      • group:Backend
      • group:Frontend

I want to give both user:Ben and members of group:Electronics read access to document:PCB_files. Because members of group:Electronics have access, members of group:Hardware and group:Engineering should also have access.

Describe the solution you'd like
The suggested solution would be to extend the # operator in relation type definitions to support specifying permissions in addition to relations.

The resulting schema would look something like this:

entity user {}

entity group {
    relation direct_member @user
    relation parent @group

    permission member = direct_member or parent.member
}

entity document {
    relation owner @user
    relation writer @user @group#member
    relation reader @user @group#member

    action write = owner or writer
    action read = owner or writer or reader
}

Describe alternatives you've considered
The current approach to achieve this is as follows, which is less than elegant:

entity user {}

entity group {
    relation direct_member @user
    relation parent @group

    permission member = direct_member or parent.member
}

entity document {
    relation owner @user
    relation writer @user
    relation writer_g @group
    relation reader @user
    relation reader_g @group

    action write = owner or writer or writer_g.member
    action read = owner or writer or writer_g.member or reader or reader_g.member
}

Additional context
This feature is supported by the Google Zanzibar whitepaper, as well as several Authorization alternatives such as SpiceDB or OpenFGA.
@UnguidedFreedom UnguidedFreedom added the feature request New feature or request label Jan 17, 2024
@tolgaOzen tolgaOzen moved this to Q4 2024 – Oct-Dec in Public Roadmap Sep 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@EgeAytin EgeAytin

@tolgaOzen tolgaOzen

Labels
feature request New feature or request
Projects
Public Roadmap
Status: Q4 2024 – Oct-Dec
Milestone
No milestone
Development

No branches or pull requests
3 participants
@UnguidedFreedom @EgeAytin @tolgaOzen