https://www.ory.sh/ logo
Join Slack
Powered by
<@U04UQ68083H> Can you help me to write namespace ...
# ory-copilot
w
@chilly-king-10285 Can you help me to write namespace based on the context below?
c
A message from kapa.ai
w
@chilly-king-10285 Here is a context: We utilize the ABAC (Attribute-Based Access Control) model in our app's hierarchy and access control system. The Owner attribute represents the highest level within this hierarchy. All Legal Entities have Employees and both of these are considered to be Subjects in an ABAC context as we assume both non-person entities and humans will can request access to an object. A subject with an Owner attribute has the high level of access. I believe attributes can have multiple values and since they are key value pairs we can say: Subject CEO has an attribute named Role with value Owner. CEO To become an Owner, you must first register and onboard with Minibank. The Owner has access to all features and functionalities within the system. As an Owner, you can perform the following actions: (Any subject with an Owner attribute will have maximum access to objects of the legal entities for which that have an owner attribute.) 1. Create legal entities (objects) and employees (subjects). 2. Define groups of attributes and assign them to each employee. 3. Assign the Owner group to an employee if necessary. (Any owner raising such a request would need a quorum of owners to agree to that request, but yes I think it should be possible.) Each employee is assigned a specific permissions with corresponding attributes, which determines their access to various objects within the system. For instance, Employee 1 may have a Developer group in Legal Entity 2 to make certain actions, but may not have any access to Legal Entity 1. (Subject Employee with attribute Legal Entities=[LE1, LE2] may inherit attribute Developer from LE1 but not for LE2. ) Roles can be classified into three distinct access levels: read, write, and delete. These access levels determine the extent to which an employee can interact with the system's data and functionalities. Pre-defined Attributes There are pre-defined attributes, such as the Owner role, which exist independently of legal entities. These attributes are essential for organizing access to different parts of the system. Cataloging Objects and Attributes We need to catalog all objects within the system, as well as the attributes that govern access to them by subjects. This comprehensive catalog will help us manage and monitor the access control effectively. Attribute Groups and Namespaces Owners have the ability to create groups of attributes using pre-defined attributes and groups. Implementing namespaces will help us organize these attributes and groups in a structured manner. As we move forward, it is important to keep the initial design simple and build upon it as needed. Assigning Attributes for API Access Our goal is to demonstrate that when an employee registers with the system, they are assigned specific attributes that grant them access to call other APIs. We will continue to refine our access control document to reflect this objective. We encourage all team members to contribute to the development and improvement of our access control system. Feel free to add your insights or make changes to the document as needed. Together, we will create a robust and efficient access control system for our digital bank.
c
A message from kapa.ai
@wide-machine-60917 That's a great question, but unfortunately it is too long. Can you ask me again but make it shorter? I'm here to help!
Hmm, I don't know enough to give you a confident answer yet. However, you can refer to the Ory documentation for more information on creating namespaces and permission models: - [Namespaces](https://www.ory.sh/docs/keto/concepts/namespaces) - [Create a permission model](https://www.ory.sh/docs/keto/modeling/create-permission-model)
w
@chilly-king-10285 Our app uses the ABAC model for access control. Owners have the highest level of access, and legal entities and employees are considered subjects. To become an owner, register with Minibank. Owners can create legal entities and employees, define attribute groups, and assign permissions. There are pre-defined attributes and groups, and a catalog of objects and attributes is essential for effective access control. Owners can create attribute groups using pre-defined attributes and namespaces. We assign specific attributes to employees for API access. Let's work together to improve our access control system.
c
A message from kapa.ai
Based on the context you provided, you can create a permission model using Ory Keto and the Ory Permission Language (OPL). Here's a suggested approach to define your namespaces and relationships: 1. Identify the objects and subjects in your system. In your case, the subjects are 
Owner
, 
LegalEntity
, and 
Employee
. The objects could be the resources you want to manage access for, such as 
AttributeGroup
and any other relevant objects. 2. Define the relationships between the objects and subjects. Here's an example of how you can define the namespaces and relationships using OPL:
Copy code
typescript import { Namespace, Context } from "@ory/keto-namespace-types"  class Owner implements Namespace {} class LegalEntity implements Namespace {} class Employee implements Namespace {}  class AttributeGroup implements Namespace {   related: {     owners: Owner[]     legalEntities: LegalEntity[]     employees: Employee[]   } }  // Add other relevant objects and their relationships here
3. Define the permissions for each object in the OPL. For example, you can define the 
create
, 
view
, and 
assign
permissions for the 
AttributeGroup
object. 4. Test your permission model to ensure it works as expected. For more information on creating a permission model and defining namespaces, refer to the following Ory documentation: - [Namespaces](https://www.ory.sh/docs/keto/concepts/namespaces) - [Create a permission model](https://www.ory.sh/docs/keto/modeling/create-permission-model) Remember that this is just a starting point, and you may need to adjust the model based on your specific requirements and use case.
w
@chilly-king-10285 Explain what manager means/does in this code: class User implements Namespace { related: { manager: User[] } }
c
A message from kapa.ai
In the given code snippet:
Copy code
typescript class User implements Namespace {   related: {     manager: User[]   } }
manager
is a relationship defined within the 
User
namespace. It represents a many-to-many relationship between users, where one user can be a manager of other users. The 
manager
relationship is an array of 
User
objects, indicating that a user can have multiple managers. This relationship can be used to model scenarios where users have managers, and you want to control access to resources based on the manager-user relationship.
w
@chilly-king-10285 Write namespace where User is subject and LegalEntity is Object. Some user(s) have Read access to LegalEntity, some Write access. Some of them have both.
c
A message from kapa.ai
You can create a namespace with 
User
as the subject and 
LegalEntity
as the object, and define the 
read
and 
write
access relationships using the Ory Permission Language (OPL). Here's an example:
Copy code
typescript import { Namespace, Context } from "@ory/keto-namespace-types"  class User implements Namespace {}  class LegalEntity implements Namespace {   related: {     readers: User[]     writers: User[]   }    permits = {     read: (ctx: Context): boolean => this.related.readers.includes(ctx.subject),     write: (ctx: Context): boolean => this.related.writers.includes(ctx.subject),   } }
In this example, the 
LegalEntity
namespace has two relationships: 
readers
and 
writers
. These relationships represent users who have read and write access to the legal entity, respectively. The 
permits
object defines the 
read
and 
write
permissions based on the relationships. A user has read access if they are in the 
readers
relationship, and write access if they are in the 
writers
relationship. Some users can have both read and write access if they are included in both relationships.
w
@chilly-king-10285 What's SubjectSet?
c
A message from kapa.ai
A 
SubjectSet
is a concept in Ory Keto that refers to all subjects who have the same 
relation
on an 
object
. It allows Ory Permissions to be flexible by defining indirections, which can be used to realize models like RBAC (Role-Based Access Control) or inheritance of relations. Subject sets can also indirect to other subject sets. In the context of a graph of relations, subject sets represent all intermediary nodes. Here's a brief overview of the 
SubjectSet
fields: - `namespace`: The namespace of the object and relation referenced in this subject set. - `object`: The object related by this subject set. - `relation`: The relation between the object and the subjects. For more information, refer to the following extracts: - [Subject sets in Ory Keto concepts](https://www.ory.sh/docs/keto/concepts/subjects#subject-sets) - [SubjectSet in Ory Keto Protocol Documentation](https://www.ory.sh/docs/keto/reference/proto-api#subjectset)
w
@chilly-king-10285 How its possible to have one group named "developer" containing some permissions and use that group to relate with Object.
c
A message from kapa.ai
@wide-machine-60917 That's a great question, but unfortunately I am only capable of responding to a maximum of five questions per thread. Don't hesitate to create a new thread for any further questions you have though. I'm here to help!
w
@chilly-king-10285 write relationships.json with the following namespace, where user1 has read access and user 2 has both read and write. 
class User implements Namespace {}
class LegalEntity implements Namespace {
related: {
readers: User[]
writers: User[]
}
permits = {
read: (ctx: Context): boolean =>
this.related.readers.includes(ctx.subject) ||
this.related.writers.includes(ctx.subject),
write: (ctx: Context): boolean => this.related.writers.includes(ctx.subject),
}
}
c
A message from kapa.ai
@wide-machine-60917 That's a great question, but unfortunately I am only capable of responding to a maximum of five questions per thread. Don't hesitate to create a new thread for any further questions you have though. I'm here to help!
10 Views
Open in Slack
PreviousNext
Powered by