Use Case
Let’s give an example to better understand the usage of Contextual Tuples aka dynamic permissions in access checks. Consider you’re modeling an permission system for an internal application that belongs to an multi regional organization.Authorization Model
In that application an employee that belongs to HR department can view details of another employee if:- If he/she is an Manager in HR department
- Connected via the branch’s internal network or through the branch’s VPN
view_employee
permission in the organization entity, we need to consider not only whether the employee is a manager but also check the IP address.
At this point, traditional relation tuples of Permify are insufficient since network address is an dynamic variable that cannot be added as static relations.
So, to incorporate the IP address into our authorization model we will use Contextual Tuples and send dynamic relations values when sending the access check request.
Let’s extend our authorization model with adding contextual entities and relations to create the view_employee
action.
ip_address_range
and related them with user. Afterwards call that dynamic entities inside our organization entity and form the view_employee
permission as follows:
Access Check With Contextual Tuples
Since we cannot create relation statically forip_address_range
we need to send ip value on runtime, specifically when performing access control check.
So let’s say user Ashley trying to view employee X. And lets assume that,
- She has a manager relation in HR department with the tuple
organization:1#hr_manager@user:1
- She connected to VPN which connected to network 192.158.1.38 - which is Branch’s internal network.