We wrote what's probably the most comprehensive blog post on Zanzibar a while back. I noticed it wasn't discussed here so here it is: https://authzed.com/blog/what-is-zanzibar

Hello! Does Zanzibar supports ABAC or constraint based permits (conditional permits)? For eg. In the github permissions example, Let us say we have an org o1, with repos - r1, r2 & r3. Now I need to permit u1 for all repos under o1, except o1.r3. OR even better, I have access to all repos that I have created under o1, but read only for the repos created by someone else. How to implement these rules?

you'd use the exclusion operator

we also discussed it in this week's blog post

so in your GitHub example:

definition user {}

definition organization {
  relation viewer: user
  permission view_repos = viewer
}

definition repository {
  relation org: organization
  relation notallowed: user
  permission view = org->view_repos - notallowed
}

then you could "remove" a user from a specific repo by writing a relationship for the repository to the

notallowed

relation

(to match your example)

for read only access to repos created by someone else, you'd have a

view

permission "inherit" from the org, and have any other permissions (such as

write

) be only granted to the

creator

relation on the repository

like so:

definition user {}

definition organization {
  relation viewer: user
  permission view_repos = viewer
}

definition repository {
  relation org: organization
  relation creator: user

  permission write = creator
  permission view = org->view_repos + creator
}

Ah! Thanks for so quick response. Really appreciate it. Now, is there a demo site where I can create a project & run these rules / experiment ?

you can test in there and, if you want to deploy for real API testing, you can click the "Import" button on the top right

and it'll bring up the Authzed dashboard to do so

alternatively, if you want to run locally, you can run SpiceDB (https://github.com/authzed/spicedb)

and use the

zed

tool (https://github.com/authzed/zed) to load schema, write relationships, etc

zed import

supports taking a Playground URL too, so if you develop in the Playground, you can then directly load it into Authzed or SpiceDB that way too

Where can I find deploy button? Do I have to login, for that?

yes

it'll replace the "Sign In" button

hence "Sign In to Import"

Got it! 🙂 Thanks @User

anytime 🙂

if you have any other questions around schema, we recommend asking in #844600078948630559

oh! sure,, will do.

we also have a guide for doing so: https://docs.authzed.com/guides/schema

If we need to write these rules programmatically checking a backend API (a.k.a - Policy Information Point in OPA world) - Is there a way to do it at run time? For eg. A customer of GitHub wants to create new roles & exclusion rules using GitHub UI. What happens then? do we need add data to SpiceDB? with exclusions & such?

You’d need to design your schema to be more dynamic and write relationships to ensure it matches the intent

That’s a bit more in depth to discuss over chat, so if you like, you can schedule a Calendly meeting on authzed.com and we can walk you through the schema design