https://authzed.com logo
Join Discord
Powered by
Issue with User Defined Roles: Role Access Overlap...
# spicedb
g
Hello SpiceDB community, I have an issue with User Defined Roles. I followed this blog post: https://authzed.com/blog/user-defined-roles I have two default roles that all companies will have. The issue I'm facing right now is that when two companies have the same feature, let's call that Admin. Then one of the companies pay for a feature so we set enabled_for to be their company. They have a management panel, where they can set which roles should have access to the specific feature, so they would set allow_access to be Admin. Then the other company decides to also buy the feature, then we set enabled_for to be their company and now the feature is allowed by default because the relation is already set. Basically they can both change the allow_access for each other. I can't seem to figure out how I can solve this problem. Any help is appreciated. Thanks in advance 🙂
Copy code
/**
 * paid features
 */
definition feature {
    /** which companies have access to the feature */
    relation enabled_for: company

    /** give access to a specific user or role group */
    relation allow_access: role#member | user

    /** restrict access to a specific user */
    relation disallow_access: user

    /** access determines who have access to the feature */
    permission access = (allow_access & enabled_for->member) - (disallow_access & enabled_for->member)
}

definition role {
    relation company: company
    relation member: user
    relation built_in_role: company

    /** delete roles that are not built in roles */
    permission delete = company->manage_roles - built_in_role->manage_roles

    /** add users to roles */
    permission add_user = company->manage_roles

    /** remove users from roles */
    permission remove_user = company->manage_roles

    /** add and remove permissions to roles */
    permission update = company->manage_roles

    /** permission to check that the user has at least one role */
    permission has_role = member
}

definition company {
    relation parent: company

    relation user: user
    permission direct_member = user
    permission member = direct_member + parent->member + platform_admin

    relation company_editor: role#member
    relation company_deleter: role#member
    permission edit_company = (company_editor + parent->edit_company + delete_company) & member
    permission delete_company = (company_deleter + parent->delete_company) & member
        
        ...
}
y
i wouldn't modify the default role; i'd add a new role that adds the new permission for that company
g
Wouldn't the same issue happen if two companies choose the same name for their custom roles? Role names aren't unique, and the only was to make them unique is to keep track of them in a DB or something like that?
y
you could namespace them in that case - prepend the company id to the role name
but yeah, you're hitting on something that we ran into at my old company, which is that role bookkeeping solely within SpiceDB can be difficult depending on the UI/UX you need to drive
at my old company we ended up writing a role admin service that asynchronously wrote to SpiceDB for our google-cloud-iamish schema
and it was what drove an administration UI
g
Okay, thanks a lot for your input - I appreciate it 🙂
y
sure thing!
3 Views
PreviousNext
Powered by