Defining a domain model
The authorization model needs to mirror the domain model used by the application. To populate the directory we need to define the domain model which is comprised of objects and relations. To define these objects and relations, we first need to declare object types and relation types.
Object types
Object types define the entities in the system, such as user
, department
, task
, etc. Some object types can be designated as subjects. This means they can function as the target of a relation. For example, a user
is a subject, and a task
is an object. A group
can function as an object when defining a member relation to a user (subject), or it can function as a subject when defining an owner relation to a task (object).
Relation types
Relation types define the relationships between entities, such as member
, owner
, manager
, etc. Relation types are defined on object types. In the context of authorization, we can think of relation types as roles that can be assigned to subjects. For example, a user
can be assigned the owner
role for a department
. In our policy, we can check whether a relation exists for a subject
and an object
using the ds.check_relation
built-in.
Permissions
While relations are helpful to model roles, we can associate many permissions to a single role. In the directory, permissions are associated with relation types. For example, we can define the owner
relation type as associated with the can_create
, can_delete
, and can_view
permissions. In our policy, we can check whether a permission exists between a subject
and an object
using the ds.check_permission
built-in.
Defining the domain model
Create a manifest.yaml
to define object types, relation types and permission. For example:
# object type (document)
document:
# object relation (document:owner)
owner:
# include permissions of other object relations on the same object type
union:
- editor
- viewer
# permissions for relation on object type
permissions:
- sample.document.delete
# object relation (document:editor)
editor:
# include permissions of other object relations on the same object type
union:
- viewer
# permissions for relation on object type
permissions:
- sample.document.create
- sample.document.update
# object relation (document:viewer)
viewer:
# permissions for relation on object type
permissions:
- sample.document.read
Load the manifest.yaml
file into Topaz by running:
topaz load manifest.yaml