👋 hello there. First of all, thanks for great project(s). We are running hydra in production and are very happy with it. Now we started contemplating adding keto to the mix so I started reading on it a little bit and wanted to ask a question related to the model for RBAC with certain level of multi-tenancy. To give a background in our systems we have

users

,

users

have N:N relationships with

accounts

and within each account can have certain

role

and each role has certain

permissions

. I started modeling the above use case and came with two options:

role.admin#has_role@account1.user1
// or
role.custom_role1#has_role@account1.user1

files.delete#has_permission@role.admin

in this use case we sacrifice the ability of having

user <-> account

relationship in the Keto, instead we need that on our side. On the other hand we can have generic permissions. You would then ask

check account1.user1 has_permission files.delete

, i.e. the top level object would be user scoped to the account. AFAIK, in this model we wouldn't be able to use userset rewrites (or am I wrong?). The other option would be:

account1:owner#is_member@user1
account1:files#delete@account1:owners

where one would ask

check account1:files delete user1

. In this case we can also have the

user <-> account

relationship in keto, we loose the ability to have generic roles shared across accounts (or am I wrong?), and we could use userset rewrites to for example give read relationship over

account1:files

for anyone with

delete

relationship over

account1:files

. Now, I am sorry for extensive example, I am still trying to wrap my head around the tuples model, but does the above make sense or did I completely miss something? Which approach do you think makes more sense (or is it situation specific)? Or is there better way to achieve what we want?

We are currently working on an RBAC guide, I recommend you start there https://github.com/ory/docs/pull/700

Completely missed that, thanks a lot!

Np 😉

Alright, that's perfect guide and it answers most of my questions, thanks a lot. I am still wondering about one use case that I am not sure is achievable:

What you need for that is https://github.com/ory/keto/issues/263 So currently not possible, but we will be working on it in the next months Workaround is to create all those tuples OR do two checks to see if the subject has the * permission or the specific one

Will that work even with userset rewrites though? As far as I understand userset rewrites allow inheritance between relations but what would be needed in this case is more of a "tuple template" or "placeholder". I should have used different character than

*

but the example:

accounts:*#transactions.refund@(roles:*:admin#member@...)

should be

accounts:{ACCOUNT_ID}#transactions.refund@(roles:{ACCOUNT_ID}:admin#member@...)

In other words, I would like to define generic tuple that would mean: Allow

transactions.refund

action on account

X

if the user is member of

roles:X:admin

. This would allow us to define and modify the permissions for

role:X:admin

role easily but the changes would apply to any account that uses this role. (best example is GCP roles where there are provisioned roles managed by google updated to reflect new permissions but one can also create a custom role). If we created this role on account creation for all accounts and then needed to modify it that would mean millions of changes. The above example makes it one. I think this would work with userset rewrites if we instead used:

accounts:account1#is_admin@users:user1

with

name: "accounts"
relation {
  name: "transactions.refund"
  userset_rewrite {
    union {
      child { _this() }
      child { computed_userset { relation: "is_admin" } } } } }

i.e. defined generic roles via relation and custom roles via

roles

object. But than there's this strange dual way of defining roles (but maybe that's the right approach). Sorry, must be getting annoying at this point, I am still trying to make sense of it and this is where I am struggling.

If we created this role on account creation for all accounts and then needed to modify it that would mean millions of changes. The above example makes it one.

yes, exactly that is unfortunately the workaround you currently have to use but the rewrites will allow specifically also those "template" tuples

wonderful, thanks a lot for the replies, this helped a lot 🙏

but the rewrites will allow specifically also those "template" tuples

if that's the case, then that's perfect.