Skip to main content

Defining a domain model

The authorization model needs to mirror the domain model used by the application. To populate the directory we need to define the domain model which is comprised of objects and relations. To define these objects and relations, we first need to declare object types and relation types.

Object types

Object types define the entities in the system, such as user, department, task, etc. Some object types can be designated as subjects. This means they can function as the target of a relation. For example, a user is a subject, and a task is an object. A group can function as an object when defining a member relation to a user (subject), or it can function as a subject when defining an owner relation to a task (object).

Relation types

Relation types define the relationships between entities, such as member, owner, manager, etc. Relation types are defined on object types. In the context of authorization, we can think of relation types as roles that can be assigned to subjects. For example, a user can be assigned the owner role for a department. In our policy, we can check whether a relation exists for a subject and an object using the ds.check_relation built-in.

Permissions

While relations are helpful to model roles, we can associate many permissions to a single role. In the directory, permissions are associated with relation types. For example, we can define the owner relation type as associated with the can_create, can_delete, and can_view permissions. In our policy, we can check whether a permission exists between a subject and an object using the ds.check_permission built-in.

Defining the domain model

Create a manifest.yaml to define object types, relation types and permission. For example:

# object type (document)
document:
  # object relation (document:owner)
  owner:
    # include permissions of other object relations on the same object type
    union:
    - editor
    - viewer
    # permissions for relation on object type
    permissions:
    - sample.document.delete

  # object relation (document:editor)
  editor:
    # include permissions of other object relations on the same object type
    union:
    - viewer
    # permissions for relation on object type
    permissions:
    - sample.document.create
    - sample.document.update

  # object relation (document:viewer)
  viewer:
    # permissions for relation on object type
    permissions:
    - sample.document.read

Load the manifest.yaml file into Topaz by running:

topaz load manifest.yaml