OpenFGA
Coarse Grained Authorization using OpenFGA #332
Closed
shashanklivspace
started this conversation in
General
Replies: 1 comment
-
|
Would this solve your issue? Below we are setting a system object and tying the doc to it, the doc can then inherit particular permissions or roles on the system. model: |
model
schema 1.1
type user
type role
relations
define member: [user]
type system
relations
define can_read_all_docs: [user, role#member]
type doc
relations
define system: [system]
define can_read: [user, role#member] or can_read_all_docs from system
tuples:
- user: user:anne
relation: member
object: role:global-doc-reader
- user: role:global-doc-reader#member
relation: can_read_all_docs
object: system:contoso
- user: system:contoso
relation: system
object: doc:1
tests:
- check:
- user: user:anne
object: doc:1
assertions:
can_read: true |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I do understand OpenFGA is created for fine-grained authorization for specific resources. This means that I need to define tuples for each resource to enforce the authorization.
However, we have a use case to define custom roles which can perform specific actions on all entities of a certain type.
For example:
Let's take the case of document read/write operations. I want all users with role
org_readerto have read access to all documents. But I also want to have granular read access to each document. I have modeled this.The problem is the application needs to be aware of both the relations -
can_read_all_doc(coarse-grained authorization) at global level andcan_read(fine-grained authorization) to be able to conclude the access. Can we somehow combine these two models within a single model. I only want to check that ifUser x can read doc yinstead ofUser x can read doc y or User x can read any docI hope I have made the use case clear.
Beta Was this translation helpful? Give feedback.
All reactions