Relationship-Based Access Control

Checking Relations

Since you've now created your relation definitions and relations, we can now check them to determine access control. Below are the functions you can use to check relations.

Check if relation exists

The hasRelations function checks if a particular relation exists. Pass in an array of AuthzRelationQuery objects and the same objects will be returned with a boolean set to true or false;

const relations: FGARelation[] = [
  {
    resource: 'some-doc',
    resourceType: 'doc',
    relation: 'can_view',
    target: 'u1',
    targetType: 'user',
  },
];
 
const relations = await descopeClient.management.fga.check(relations);

Check who can access a particular resource

The whoCanAccess function takes in a resource, a relation definition, and a namespace corresponding to the relation definition and returns an array of users with the given relation definitions to the resource.

const resource: string = "The resource of a relation";
const relationDefinition: string = "The relation definition name";
const namespace: string = "The relation definition namespace";
 
const users: string[] = await descopeClient.management.authz.whoCanAccess(resource, relationDefinition, namespace);

Check what relations a resource has

The resourceRelations function returns an array of relations for a given resource.

const resource: string = "The resource for the relations";
 
const relations: AuthzRelation[] = descopeClient.management.authz.resourceRelations(resource);

Check what relations a target has directly

The targetsRelations function takes an array of targets (eg. users) and returns an array of relations that exist for the target directly. This will NOT return relations that exist for the target implicitly, such as through a parent node with a matching relation definition.

const targets: string[] = ["The targets to check relations for directly."];
 
const relations: AuthzRelation[] = descopeClient.management.authz.targetsRelations(targets);

Check what relations a target has directly and implicitly (recursive)

The whatCanTargetAccess function is similar to the targetsRelations function in that it takes an array of targets and returns an array of relations that exist for it, but instead of simply including direct relations, it returns implicit ones as well, traversing the tree of relations recursively.

const target: string = "The target to check relations for directly and implicitly.";
 
const relations: AuthzRelation[] = descopeClient.management.authz.whatCanTargetAccess(target);
Was this helpful?

Previous

Creating Relations

Next

Overview

On this page

Checking RelationsCheck if relation existsCheck who can access a particular resourceCheck what relations a resource hasCheck what relations a target has directlyCheck what relations a target has directly and implicitly (recursive)