diff --git a/.custom_wordlist.txt b/.custom_wordlist.txt index be8059b..52b9961 100644 --- a/.custom_wordlist.txt +++ b/.custom_wordlist.txt @@ -78,6 +78,7 @@ Permalink PostgreSQL pre Quickstart +RBAC ReadMe ReBAC reST diff --git a/explanation/jaas_authorisation.rst b/explanation/jaas_authorisation.rst index 38ad060..76271d0 100644 --- a/explanation/jaas_authorisation.rst +++ b/explanation/jaas_authorisation.rst @@ -1,7 +1,7 @@ JAAS Authorisation ================== -JAAS provides enterprise-level features on top of Juju. One of such features is the `Relationship-Based Access Control (ReBAC) `_ that enables enterprises to have more control over users and their permissions to access underlying Juju resources (e.g. controllers or models). Among various implementations, JAAS uses `OpenFGA `_ as the backend for ReBAC. You can read more about Juju permission model in `here `_. +JAAS provides enterprise-level features on top of Juju. One of such features is the `Relationship-Based Access Control (ReBAC) `_ that enables enterprises to have more control over users and their permissions to access underlying Juju resources (e.g. controllers or models). Among various implementations, JAAS uses `OpenFGA `_ as the back-end for ReBAC. You can read more about Juju permission model in `here `_. .. hint:: For a tutorial on managing users/groups permissions, check out :doc:`this <../tutorial/group_management>` topic. @@ -10,7 +10,7 @@ JAAS provides enterprise-level features on top of Juju. One of such features is What is ReBAC? -------------- -Unlike `Role-Based Access Control (RBAC) `_ where permission sets are managed by the concept of *roles*, in ReBAC, a user's access to a resource is modeled through a *relation*, which could be either direct or indirect (i.e. the result of another relation). This makes ReBAC more dynamic in comparison to RBAC, and also more suitable for complex authorisation schemes where there are large number of users and resources. +Unlike `Role-Based Access Control (RBAC) `_ where permission sets are managed by the concept of *roles*, in ReBAC, a user's access to a resource is modelled through a *relation*, which could be either direct or indirect (i.e. the result of another relation). This makes ReBAC more dynamic in comparison to RBAC, and also more suitable for complex authorisation schemes where there are large number of users and resources. As an example, consider a simple file-system structure with two kinds of resources: directories and files. Without ReBAC, you need to be explicit about every user's permissions (or set of permissions, as roles) to every file or directory. But, with ReBAC, you can achieve the same result with much less effort and data, by defining the right relations. For instance, you can just assign the ``read::directory:foo`` relation to a user (meaning that the user has ``read`` relation to the ``directory`` named ``foo``), and then the user will have the read access to all files and directories under ``foo``. Note that, you only declared *one* relationship (or more precise, *tuple*), and the other relations are automatically inferred from that. diff --git a/reference/authorisation_model.rst b/reference/authorisation_model.rst index 1288e06..943166d 100644 --- a/reference/authorisation_model.rst +++ b/reference/authorisation_model.rst @@ -78,7 +78,7 @@ For example, if a ``user`` named ``alice@canonical.com`` has the ``member`` rela relation: member target: group:foo -This reads as: "an entity of type *user*, named *alice@canonical.com*, has *member* relationship to an entity of type *group*, named *foo*. +This reads as: "an entity of type ``user``, named ``alice@canonical.com``, has ``member`` relationship to an entity of type ``group``, named ``foo``. Manipulating tuples @@ -94,7 +94,7 @@ To manipulate the tuples (i.e. add/remove relations between different resources) jimmctl auth relation add user-alice@canonical.com member group-foo -To check if a specific tuple exists, you use the ``check`` subcommand: +To check if a specific tuple exists, you use the ``relation check`` command: .. code:: bash