This example presents an Instagram Authorization Schema, outlining the intricate relationships between users, accounts, and posts on the platform. It defines user access levels, privacy settings, and interactions, offering insights into how followers, account owners, and post restrictions are managed within the Instagram ecosystem.
entity user {}entity account { // users have accounts relation owner @user // accounts can follow other users/accounts. relation following @user // other users/accounts can follow account. relation follower @user // accounts can be private or public. attribute public boolean // users can view an account if they're followers, owners, or if the account is not private. action view = (owner or follower) or public}entity post { // posts are linked with accounts. relation account @account // comments are limited to people followed by the parent account. attribute restricted boolean // users can view the posts, if they have access to view the linked accounts. action view = account.view // users can comment and like on unrestricted posts or posts by owners who follow them. action comment = account.following not restricted action like = account.following not restricted}
The Instagram Authorization Schema models the relationships between users, accounts, and posts in the Instagram platform.
Users can own accounts, follow other accounts, and be followed by other users. Accounts can have public or private settings, and access to view an account is determined by ownership, followers, and privacy settings. Posts are associated with accounts and can have restricted comments and likes based on account privacy.
Users can view an account if they are the owner, a follower, or if the account is public.
Users can comment and like posts if they have access to view the linked account and the post is unrestricted.
entity account { relation owner @user relation following @user relation follower @user attribute public boolean action view = (owner or follower) or public }
According to the schema, user:kevin is the owner of account:1. Hence, user:kevin should be able to view account:1. The expected result is 'true'.
entity account { relation owner @user relation following @user relation follower @user attribute public boolean action view = (owner or follower) or public }
According to the schema, user:kevin follows account:2. Hence, user:kevin should be able to view account:2 because he is a follower. The expected result is 'true'.
entity account { relation owner @user relation following @user relation follower @user attribute public boolean action view = (owner or follower) or public }
According to the schema, user:george can view account:1, because the account is public. Hence, user:george should be able to view account:1. The expected result is 'true'.
entity account { relation owner @user relation following @user relation follower @user attribute public boolean action view = (owner or follower) or public }
According to the schema, user:george is the owner of account:2. Hence, user:george should be able to view account:2. The expected result is 'true'.
According to the schema, post:1 is linked with account:1, and it does not have restricted access. Also, user:george is following account:1. Hence, user:george should be able to view post:1. The expected result is 'true'.
According to the schema, post:2 is linked with account:2, and it has restricted access. Also, user:george is not following account:1. Hence, user:kevin should not be able to view post:2. The expected result is 'false'.
According to the schema, post:2 is linked with account:2, and it is restricted access. Also, user:george can view his own post:2. The expected result is 'true'.
entity post { relation account @account attribute restricted boolean action comment = account.following not restricted}
According to the schema, post:1 is linked with account:1, and it is not restricted. Also, user:george can comment on post:1. The expected result is 'true'.
entity post { relation account @account attribute restricted boolean action comment = account.following not restricted}
According to the schema, post:2 is linked with account:2, and it is restricted. user:kevin cannot comment on post:2. The expected result is 'false'.
Let’s test these access checks in our local with using permify validator. We’ll use the below schema for the schema validation file.
schema:|- entity user {} entity account { // users have accounts relation owner @user // accounts can follow other users/accounts. relation following @user // other users/accounts can follow account. relation follower @user // accounts can be private or public. attribute public boolean // users can view an account if they're followers, owners, or if the account is not private. action view = (owner or follower) or public} entity post { // posts are linked with accounts. relation account @account // comments are limited to people followed by the parent account. attribute restricted boolean // users can view the posts, if they have access to view the linked accounts. action view = account.view // users can comment and like on unrestricted posts or posts by owners who follow them. action comment = account.following not restricted action like = account.following not restricted}relationships:- account:1#owner@user:kevin- account:2#owner@user:george- account:1#following@user:george- account:2#follower@user:kevin- post:1#account@account:1- post:2#account@account:2attributes:- account:1$public|boolean:true- account:2$public|boolean:false- post:1$restricted|boolean:false- post:2$restricted|boolean:truescenarios:-name: Account Viewing Permissionsdescription: Evaluate account viewing permissions for 'kevin' and 'george'. checks:-entity: account:1subject: user:kevin assertions:view:true-entity: account:2subject: user:kevin assertions:view:true-entity: account:1subject: user:george assertions:view:true-entity: account:2subject: user:george assertions:view:true-name: Post Viewing Permissionsdescription: Determine post viewing permissions for 'kevin' and 'george'. checks:-entity: post:1subject: user:george assertions:view:true-entity: post:2subject: user:kevin assertions:view:true-entity: post:2subject: user:george assertions:view:true-name: Post Commenting Permissionsdescription: Evaluate post commenting permissions for 'kevin' and 'george'. checks:-entity: post:1subject: user:george assertions:comment:true-entity: post:2subject: user:kevin assertions:comment:false
After cloning Permify, open up a new file and copy the schema yaml file content inside. Then, build and run Permify instance using the command make serve
Then run permify validate {path of your schema validation file} to start the test process.
The validation result according to our example schema validation file:
