Could objects, not subjects, have caveats? Or is there a way to add conditionals to permissions? #1933

nik-kumar-td · 2024-06-11T04:17:36Z

nik-kumar-td
Jun 11, 2024

I am looking to migrate our existing auth logic over to spicedb. We are almost there. However, we have run into an issue.

We have a platform with numerous tenants/organisations and accounts associated with tenants. There is a certain resource which accounts/users can create and share within their tenancy with other groups or accounts. These resources can also be overtaken by the platform admin and be made generally available (platform reserved). However, in this case the owner or accounts who have access to edit or delete the resource, lose this permission.

Is there a way to have caveats associated with objects but not subjects or someway to have conditional permissions if certain relationships exists?

Original resource definition

definition resource {
	relation owner: account
	relation tenant: tenant
	relation share_view: account | group#member
	relation share_delete: account | group#member
	relation share_edit: account | group#member
        relation platform_reserved: platform#admin

	// 
	permission view =  owner + share_view + tenant->admin
	permission edit = view + share_edit
	permission delete = view + share_delete
	permission share = owner + tenant->admin
}

Possible Approach 1

caveat resource_reserved_by_platform(reserved bool) {
  reserved == bool
}

definition resource {
	relation owner: account
	relation tenant: tenant
	relation share_view: account | group#member
	relation share_delete: account | group#member
	relation share_edit: account | group#member

	// resource permission
	permission view = owner + share_view + tenant->admin
	permission edit = view + share_edit
	permission delete = view + share_delete
	permission share = owner + tenant->admin
}

OR

Possible Approach 2

definition resource {
	relation owner: account
	relation tenant: tenant
	relation share_view: account | group#member
	relation share_delete: account | group#member
	relation share_edit: account | group#member
        relation platform_reserved: platform#admin

	// some way to add a conditional to permission in case a relation exists
	permission view = platform_reserved? - owner + share_view + tenant->admin
	permission edit = platform_reserved? - view + share_edit
	permission delete = platform_reserved? - view + share_delete
	permission share = platform_reserved? - owner + tenant->admin
}

Apologies, if I am missing an obvious way to achieve this.

Answered by josephschorr

Jun 11, 2024

The current way is to have a reference to the resource itself, and caveat that:

definition resource {
  relation platform_reserved: resource

  permission view_internal = viewer + owner + ...
  permission view = platform_reserved->view_internal
}

You'd only write the platform_reserved (pointing to the same resource) if that condition existed. You can similarly caveat that "self relationship" to assign a caveat on the object itself

View full answer

josephschorr · 2024-06-11T04:22:07Z

josephschorr
Jun 11, 2024
Maintainer

The current way is to have a reference to the resource itself, and caveat that:

definition resource {
  relation platform_reserved: resource

  permission view_internal = viewer + owner + ...
  permission view = platform_reserved->view_internal
}

You'd only write the platform_reserved (pointing to the same resource) if that condition existed. You can similarly caveat that "self relationship" to assign a caveat on the object itself

0 replies

nik-kumar-td · 2024-06-11T05:26:32Z

nik-kumar-td
Jun 11, 2024
Author

@josephschorr Thank you very much for your prompt reply! Your solution works and its just what we needed! I will run further tests, but it is looking quite promising.

To anyone else looking for the final solution. I have combined @josephschorr's answer

caveat is_resource_reserved(reserved bool) {
  reserved == false
}

definition resource {
	relation owner: account
	relation tenant: tenant
        relation platform: platform#admin // to ensure only platform_admins have access once its marked as platform_reserved
        relation platform_reserved: resource with is_resource_reserved 
	relation share_view: account | group#member
	relation share_delete: account | group#member
	relation share_edit: account | group#member

	// resource permission
	permission view_internal = owner + share_view + tenant->admin
	permission view = platform_reserved->view_internal + platform
	permission edit = view + share_edit
	permission delete = view + share_delete
	permission share = owner + tenant->admin
	permission share_internal = owner + tenant->admin
	permission share = platform_reserved->share_internal + platform
}

Test Relationships

platform:some_platform#admin@account:some_admin
tenant:some_tenant#admin@platform:some_platform#admin
tenant:some_tenant#admin@account:some_tenant_admin
resource:some_resource#owner@account:some_account
resource:some_resource#tenant@tenant:some_tenant
resource:some_resource#platform@platform:some_platform#admin
resource:some_resource#platform_reserved@resource:some_resourcel[is_resource_reserved:{"reserved":true}]

Assertions

assertTrue:
  - resource:some_resource#view@account:some_admin
  - resource:some_resource#edit@account:some_admin
  - resource:some_resource#share@account:some_admin

assertFalse:
  - resource:some_resource#edit@account:some_tenant_admin
  - resource:some_resource#view@account:some_tenant_admin
  - resource:some_resource#view@account:some_account
  - resource:some_resource#edit@account:some_account
  - resource:some_resource#share@account:some_account
  - resource:some_resource#delete@account:some_account

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

authzed

Could objects, not subjects, have caveats? Or is there a way to add conditionals to permissions? #1933

{{title}}

Replies: 2 comments

{{title}}

{{title}}

Select a reply

authzed

Could objects, not subjects, have caveats? Or is there a way to add conditionals to permissions? #1933

nik-kumar-td Jun 11, 2024

Replies: 2 comments

josephschorr Jun 11, 2024 Maintainer

nik-kumar-td Jun 11, 2024 Author

nik-kumar-td
Jun 11, 2024

josephschorr
Jun 11, 2024
Maintainer

nik-kumar-td
Jun 11, 2024
Author