Modeling my first permissions

[wojtekdfg]

Hi
I'm trying to set up a permission model for given cases:

• User accessing the repository (reader):

1. User is a school member and school has school_access to the repository (every member can access)
2. User has direct access (reader) without any school membership
3. User has access (reader) when he is a school member with restricted_school_access and he is selected to have access (not every member of the school can have access)
   This last case is giving me some problems. My thinking process here is that I need to add user to special group in the school - individual_approved_member so I know who has permissions in the school. Then I need to add relation for school in the repository so I know that additional check is required. So school is added as restricted_school_access and user is granted restricted_user_access.
   I have created such model and tested it in the playground with success. It feels very basic and I'm looking for help what I can improve.
   I have identified already a few issues but I think they are not breaking the applications like removing user access via one school when he still has access in another school. This is not a problem because I need access from one or more schools to grant reader permission to the user.

model
  schema 1.1
type user
type school
  relations
    define member: [user]
    define individual_approved_member: [user]
type repository
  relations
    define reader: [user] or member from school_access or individual_school_member
    define school_access: [school]
    define restricted_school_access: [school]
    define restricted_user_access: [user]
    define individual_school_member: individual_approved_member from restricted_school_access and restricted_user_access

I would appreciate any help with creating my first model and testing it in real application prototype.

[dyeam0]

Hi @wojtekdfg, thanks for your question. We'll take a look and get back to you with some help.

[wojtekdfg]

Hi @dyeam0
Did you guys have some time to take a look at this case?
I found an issue that I can't overcome in current state of the model.
If school member with access is having access removed I can either remove the restricted_user_access relation from the repository but then the same user would lose access from another school or leave the relation and then user still has access after the removal which is also not expected behavior. Could you guys please help me with some suggestions how do you solve such authorization problem in OpenFGA?
Best,
Wojtek

[rishavmishra-okta]

Hi @wojtekdfg ,

Thanks for your question. I've shared a .yaml file with you with some example tuples and assertions which you can check out.

school.fga.yaml.zip

Please let us know if this example works for your use case, I'd suggest adding additional tuples and assertions to validate this.

Thank you
Rishav

[rishavmishra-okta]

Hi @wojtekdfg,

I've pasted the fga.yaml file below, for easy reference. Please let us know if you have any questions.

Thanks
Rishav

model: |
    model 
        schema 1.1

    type user

    type school
      relations
        define member:[user]
        define individual_approved_member:[user]
    type repository
      relations
        define direct_reader:[user]
        define school_access:[school]
        define restricted_school_access:[school]
        define reader: direct_reader or member from school_access or individual_approved_member from restricted_school_access

tuples:
    - user: user:alice
      relation: direct_reader
      object: repository:math-notes

    - user: user:bob
      relation: member
      object: school:harvard

    - user: school:harvard
      relation: school_access
      object: repository:physics

    - user: user:charlie
      relation: individual_approved_member
      object: school:mit

    - user: school:mit
      relation: restricted_school_access
      object: repository:confidential-lab        

tests:
    - check:
        - user: user:alice
          object: repository:math-notes
          assertions:
            reader : true
            
        - user: user:bob
          object: repository:physics
          assertions:
            reader : true

        - user: user:charlie
          object: repository:confidential-lab
          assertions:
            reader : true

        - user: user:bob
          object: repository:confidential-lab
          assertions:
            reader : false

        - user: user:alice
          object: repository:physics
          assertions:
            reader : false