https://authzed.com logo
Join Discord
Powered by
Hi folks, I'm trying to figure out
# spicedb
j
Hi folks, I'm trying to figure out wether or not there is a solution to following use case. I need to have users that are assigned to roles. Roles have domains, which defines set of permissions for given resource type. Domains have scopes, which is set of attributes on a resource by which it is determined wether or not you have access to given resource. So, we can say, users with role of EMEA Admin, will have set of permissions enabled for all the resources that are tagged with EMEA. Think when there is a single attribute, we can just assign it through a relation, but crux of the problem comes when there are multiple attributes. I can see how I can model this through a graph if resource gets added to role manually based on the attributes of this role. Say, you add a role and notify resource service that this role has been added and resource service finds all the matching resources with the scope and connects them to the domain through which it can check permissions, role and finally user, however this is not ideal, since adding a role is a resource intensive operation, both on storage and on compute, and other services need to listen to this change. One option is to pass attributes of the resource with the request and have a conditional check on relation, but that does mean that I need to be aware of those attributes, which might not be the case when I am doing a check from a resource, that is a child of a resource through which this permission is granted. I hope this makes sense
y
my gut reaction is that yes, that's modelable in SpiceDB
you'd mediate part of the permission check through a 
tag
definition
and my sense is that something like the GCP IAM blog post might give you a starting place: https://authzed.com/blog/google-cloud-iam-modeling#modeling
and my sense is that a 
tag
would play a similar role to a 
role_binding
in that example
the only part that i'm not completely sure of is that there needs to be some connection between the tag and the user or the role_binding and the user
actually i'm curious
is this fine-grained?
are the tags disjoint? i.e. will one resource ever have two tags?
j
When you say, fine grained, do you mean that it has set of permissions that are configurable?
And to answer second question, yes, there might be several tags that will give you permissions. Say, role can give you access projects that are within EMEA region AND that have type of Procurement
Think this AND condition is where I am confused on how to model in a graph
You either need a context of resource to make this decision or you have to assign every resource to a role, which is not ideal
y
when i say fine-grained i mean that a user has access to one object but not another, which is as opposed to an RBAC system where the the user has a role that gets associated with all objects
it sounds like you're somewhere in between, where it's RBAC on tags
Copy code
definition user {}

definition role {
  relation user: user
  // Using a self relation here lets us express a "boolean"
  relation view: role
  permission can_view = role->view & user
}

definition tag {
  relation role: role
  permission view = role->can_view
}

definition resource {
  relation tag: tag
  permission view = tag->view
}
i think i'd use that as a starting place
and i think the "and" logic you're getting at could be expressed using an intersection arrow
like instead of
Copy code
definition tag {
  relation role: role
  permission view = role->can_view
}
you'd do something like
Copy code
definition tag {
  relation role: role
  permission view = role.all(can_view)
}
and if it can't be neatly described as "you must have this permission on all associated tags" then there's probably an additional layer of complexity
but i'd chew on the above to start
5 Views
PreviousNext
Powered by