Model Role Based Access Control (RBAC)
Resource Specific Roles
Let’s modify the global roles schema to represent resource-specific roles. Basically we include a new file entity and define specific permissions for it.
Here’s an updated version of the schema:
entity user {}
entity organization {
// roles
relation admin @user
relation member @user
relation manager @user
relation agent @user
}
entity file {
// file-specific relations
relation owner @user
relation org @organization
relation vendor @vendor
// file-specific permissions
permission view = org.admin or org.manager or (org.member not org.agent) or owner
permission edit = org.admin or org.manager or owner
permission delete = org.admin or owner
}
entity vendor {
// vendor-specific relations
relation primary_contact @user
relation org @organization
// vendor-specific permissions
permission manage = org.admin or org.agent
permission view = org.admin or org.manager or org.agent or primary_contact
}
This model defines several entities and their relationships, permissions, and actions.
Let’s break it down:
User Entity
This is a basic entity with no defined relations or permissions.
Organization Entity
- Defines four roles:
admin
,member
,manager
, andagent
. - These are represented as relations to the user entity.
File Entity
Relations
owner
: relates to a userorg
: relates to an organizationvendor
: relates to a vendor
Permissions
view
: granted to org admins, managers, members (excluding agents), or the file owneredit
: granted to org admins, managers, or the file ownerdelete
: granted to org admins or the file owner
Vendor Entity
Relations
org
: relates to an organizationprimary_contact
: relates to a user
Permissions
manage
: granted to org admins or agentsview
: granted to org admins, managers, or agents