• ?

    user

    8 months ago
    We wrote what's probably the most comprehensive blog post on Zanzibar a while back. I noticed it wasn't discussed here so here it is: https://authzed.com/blog/what-is-zanzibar
  • firefly

    firefly

    6 months ago
    Hello! Does Zanzibar supports ABAC or constraint based permits (conditional permits)? For eg. In the github permissions example, Let us say we have an org o1, with repos - r1, r2 & r3. Now I need to permit u1 for all repos under o1, except o1.r3. OR even better, I have access to all repos that I have created under o1, but read only for the repos created by someone else. How to implement these rules?
  • Joey

    Joey

    6 months ago
    you'd use the exclusion operator
  • Joey

    Joey

    6 months ago
    we also discussed it in this week's blog post
  • Joey

    Joey

    6 months ago
    so in your GitHub example:
    definition user {}
    
    definition organization {
      relation viewer: user
      permission view_repos = viewer
    }
    
    definition repository {
      relation org: organization
      relation notallowed: user
      permission view = org->view_repos - notallowed
    }
  • Joey

    Joey

    6 months ago
    then you could "remove" a user from a specific repo by writing a relationship for the repository to the
    notallowed
    relation
  • Joey

    Joey

    6 months ago
    (to match your example)
  • Joey

    Joey

    6 months ago
    for read only access to repos created by someone else, you'd have a
    view
    permission "inherit" from the org, and have any other permissions (such as
    write
    ) be only granted to the
    creator
    relation on the repository