I'm currently trying to implement an approach similar to RBAC. The naming is in draft state, so if y...

broad-printer-45521

11/21/2022, 12:03 PM

I'm currently trying to implement an approach similar to RBAC. The naming is in draft state, so if you have better names let me know ;) My problem is that the check if the user effectively has the permission fails. OPL:

Copy code

class User implements Namespace {
  related: {}
}

class Group implements Namespace {
  related: {
    parents: Group[]
    members: User[]
  }

  permits = {
    permissionMember: (ctx: Context): boolean => this.related.members.includes(ctx.subject) ||
      this.related.parents.traverse( (p) => p.permits.permissionMember(ctx))
  }
}

class Permission implements Namespace {
  related: {
    //groups: SubjectSet<Group, 'effectiveMember'>[]
    permissions: Group[]
  }

  permits = {
    allowedFor: (ctx: Context): boolean => this.related.permissions.traverse( (p) => p.permits.permissionMember(ctx))
  }
}

RelationTuples:

Copy code

Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)
Permission:ReadNameOfProjectGiver#permissions@(Group:SalesAndOperations)
Group:SalesAndOperationsPlatformTeam#members@(User:Bar)

Checks:

Copy code

// Works:
Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)
Group:SalesAndOperationsPlatformTeam#members@(User:Bar)
Group:SalesAndOperationsPlatformTeam#permissionMember@(User:Bar)
Group:SalesAndOperations#permissionMember@(User:Bar)

// Fails:
Permission:ReadNameOfProjectGiver#allowedFor@(User:Bar)

steep-lamp-91158

11/21/2022, 12:33 PM

Why does

Group:SalesAndOperations#parents@(Group:SalesAndOperationsPlatformTeam)

work? Shouldn't it be the other way around? We have some cycle detection that could break there...

broad-printer-45521

11/21/2022, 1:01 PM

You are right, I overlooked that I tested for

allowed = false

😉 I edited the original Post

broad-printer-45521

11/22/2022, 5:51 AM

The original problem still remains

broad-printer-45521

11/22/2022, 8:23 AM

in my opinion the problem is inside the

Permission

class, since

Group:SalesAndOperations#permissionMember@(User:Bar)

works

broad-printer-45521

11/22/2022, 10:55 AM

reversing (changing object and subject)`Group:SalesAndOperationsPlatformTeam#parents@(Group:SalesAndOperations)` seems to fix the problem. After the struggle we decided to omit support for inheritance for groups. Instead permissions will be explicitly defined for each Group. The double effort can be minimised via code.

Open in Slack

Previous Next

Ory Community

Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.