You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I believe being able to specify conditions on concentric relationships that depend on the context of the relation they're pointing at could be useful, i.e.:
type foo
relations
define can_bar: [bar]
define can_baz: can_bar with my_condition
condition my_condition(pass: bool) { pass }
One possible, though admittedly slightly contrived usecase could be:
Let's say I want to model permissions within a group.
There are three types of groups:
Private groups. Every user is automatically the member of one containing only themselves. No other members can be added and the group cannot be left or deleted, but documents can be created within the group
Built-in groups. Users may be invited and kicked from these groups, and they can create documents as well. However, the group cannot be deleted
Public groups. Same as built-in groups, but they can be deleted
To do any action within a group, the user must have the corresponding global role.
Using conditions, this could be modeled like this:
type user
type system
relations
define group_can_delete: [user],
define group_can_invite: [user],
define group_can_create_doc: [user, user:*]
type group
relations
define system: [system]
define member: [user]
define can_delete: member and group_can_delete from system with group_kind_deletable
define can_invite: member and group_can_invite from system with group_kind_invitable
define can_create_doc: member and group_can_create_doc from system
condition group_kind_deletable(kind: string) {
kind in ["public"]
}
condition group_kind_invitable(kind: string) {
kind in ["built-in", "public"]
}
where the kind context would be carried by the group->system relationship.
Partial polyfill
In cases such as the one described above, a polyfill is technically possible via self-referential "marker" relations, e.g.:
type group
relations
define system: [system]
define member: [user]
define is_private: [group]
define can_delete: member and group_can_delete from system but not member from is_private
// etc.
However, this quickly gets messy and difficult to understand once more markers are added (which is very suboptimal for authz models), and doesn't work at all with more complicated relationships.
EnhancementNew feature or requestModelingquestions related to modelingCore APIRelating to the core OpenFGA service or API
1 participant
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
OpenFGA
-
I believe being able to specify conditions on concentric relationships that depend on the context of the relation they're pointing at could be useful, i.e.:
with the behavior:
One possible, though admittedly slightly contrived usecase could be:
Let's say I want to model permissions within a group.
There are three types of groups:
To do any action within a group, the user must have the corresponding global role.
Using conditions, this could be modeled like this:
where the
kindcontext would be carried by thegroup->systemrelationship.Partial polyfill
In cases such as the one described above, a polyfill is technically possible via self-referential "marker" relations, e.g.:
However, this quickly gets messy and difficult to understand once more markers are added (which is very suboptimal for authz models), and doesn't work at all with more complicated relationships.
Beta Was this translation helpful? Give feedback.
All reactions