Hello, I have a situation about child
# spicedbf
felix.yuan
02/02/2024, 10:26 AMHello, I have a situation about child accounts. A user may create a lot child accounts, and each child account will be granted a subset permission of its parent. If the parent permission is revoked, then all child accounts will be automatically revoked as well. Since there are a lot resources, and each resource can be granted either directly to user or to its sub accounts. Any simple way to model this in authzed schema? Thanks.
v
vroldanbet
02/02/2024, 10:55 AMThis can be easily supported with SpiceDB. Do you have any schema definition at the moment of the fundamentals of your business domain?
vroldanbet
02/02/2024, 10:57 AMthere are several examples at play.authzed.com that can serve as inspiration:
https://cdn.discordapp.com/attachments/1202923039013212221/1202930707312148571/image.png?ex=65cf3f85&is=65bcca85&hm=f20e8447a6e644fa42c695c9a330b765738ae934cb57c636fffe43367f068c87&
y
yetitwo
02/02/2024, 3:36 PMi'm actually curious about this as well - we've got a concept of "personas" which is basically the same thing that this user is describing, but we're doing all of the "persona may only have a subset of the user's permissions" logic at the level of the wrapping application, not the schema
yetitwo
02/02/2024, 3:36 PMhow would you encode that kind of logic into the schema?
f
felix.yuan
02/04/2024, 2:36 PMthe schema is attached. The schema does't enforce the restriction that accesskey can only permitted to access the resource only if both the acesskey and its parent user can access.
https://cdn.discordapp.com/attachments/1202923039013212221/1203710719800115250/image.png?ex=65d215f7&is=65bfa0f7&hm=62df459b7828056bc9dbe523293ce0863c10035a18619ef83645d2eb15533823&
v
vroldanbet
02/05/2024, 8:28 AMThis is one way to solve: https://play.authzed.com/s/REDz3ZL-LPWO
You can't create different types for the subaccounts. It's not supported to do checks that cross subject types. Instead we create a relation that points to the subject's "child" relation, which indicates "the user and all it's sub accounts are granted permissions".
In order to distinguish subaccounts from users, you can either add a prefix to the
resource_idrelation is_subaccount: user:*y
yetitwo
02/05/2024, 4:05 PMwhat happens in that schema if the child account is granted more permissions than the user? like is the user's permission set functionally the union of its direct perms and all of its children's perms?
v
vroldanbet
02/05/2024, 9:29 PMIf a child is granted more permission, the parent won't inherit it, but the children of the child will. The intuition here is the grant is over a subtree.
What this design does not achieve as it stands is attenuation, but I could imagine adding an exclusion list to the resource.
y
yetitwo
02/05/2024, 10:02 PMah gotcha... yeah the thing that we'd want to represent is that no subtree could have more permissions than a parent node. i suppose you could do that with negation in the permission definitions, but that sounds like it'd be cumbersome both in the schema representation and in the relations that you'd need to write in order to support it
3 Views