I m currently trying to implement an approach similar to RBA Ory Community #talk-keto

I'm currently trying to implement an approach simi...

broad-printer-45521

11/21/2022, 12:03 PM

I'm currently trying to implement an approach similar to RBAC. The naming is in draft state, so if you have better names let me know ;) My problem is that the check if the user effectively has the permission fails. OPL:

Copy code

class User implements Namespace {
  related: {}
}

class Group implements Namespace {
  related: {
    parents: Group[]
    members: User[]
  }

  permits = {
    permissionMember: (ctx: Context): boolean => this.related.members.includes(ctx.subject) ||
      this.related.parents.traverse( (p) => p.permits.permissionMember(ctx))
  }
}

class Permission implements Namespace {
  related: {
    //groups: SubjectSet<Group, 'effectiveMember'>[]
    permissions: Group[]
  }

  permits = {
    allowedFor: (ctx: Context): boolean => this.related.permissions.traverse( (p) => p.permits.permissionMember(ctx))
  }
}

RelationTuples:

Copy code

Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)
Permission:ReadNameOfProjectGiver#permissions@(Group:SalesAndOperations)
Group:SalesAndOperationsPlatformTeam#members@(User:Bar)

Checks:

Copy code

// Works:
Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)
Group:SalesAndOperationsPlatformTeam#members@(User:Bar)
Group:SalesAndOperationsPlatformTeam#permissionMember@(User:Bar)
Group:SalesAndOperations#permissionMember@(User:Bar)

// Fails:
Permission:ReadNameOfProjectGiver#allowedFor@(User:Bar)

steep-lamp-91158

11/21/2022, 12:33 PM

Why does

Group:SalesAndOperations#parents@(Group:SalesAndOperationsPlatformTeam)

work? Shouldn't it be the other way around? We have some cycle detection that could break there...

broad-printer-45521

11/21/2022, 1:01 PM

You are right, I overlooked that I tested for

allowed = false

😉 I edited the original Post

broad-printer-45521

11/22/2022, 5:51 AM

The original problem still remains

broad-printer-45521

11/22/2022, 8:23 AM

in my opinion the problem is inside the

Permission

class, since

Group:SalesAndOperations#permissionMember@(User:Bar)

works

broad-printer-45521

11/22/2022, 10:55 AM

reversing (changing object and subject)`Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)` seems to fix the problem. After the struggle we decided to omit support for inheritance for groups. Instead permissions will be explicitly defined for each Group. The double effort can be minimised via code.

2 Views

Open in Slack

Previous Next