Relationship-Based Access Control

Concepts

Schema

A combination of one or more types. This is used to define a permission model of a system. Here's an example of part of a schema:

model AuthZ 1.0
 
type user
 
type group
  relation member: user
  relation super_admin: user
 
type folder
  relation parent: folder
  relation owner: user | group#member
  relation editor: user | group#member
  relation viewer: user | group#member
 
  permission can_create: owner | parent.owner | parent.can_create
  permission can_edit: editor | parent.editor | can_create
  permission can_view: viewer|parent.viewer|can_edit
 
type doc
  relation parent: folder
  relation owner: user | group#member
  relation editor: user | group#member
  relation viewer: user | group#member
 
  permission can_create: owner|parent.owner
  permission can_edit: editor | parent.editor & can_create
  permission can_view: (viewer | parent.viewer) - can_edit

The schema, together with Relations, allows determination of whether a relationship exists between a user and a resource. The schema can be loaded programmatically via SDK/API or modified in the Descope console.

Type

Defines a class of objects with similar characteristics and holds Relation Definitions. Examples include:

  • Document
  • Folder
  • User
  • Organization

Relation Definitions

Defines all the possible relations a user or other object can have to a Namespace. An example looks like:

relation parent: folder
relation owner: user | group#member
relation editor: user | group#member
relation viewer: user | group#member

Resource

Represents an entity in the system. It is simply an identifier, not necessarily tied to a Namespace:

  • fb83c013-3060-41f4-9590-d3233a67938f
  • descope/java-sdk
  • org_ajUc9kJ
  • new-roadmap

Targets, Relation Definitions, and Resources are the building blocks for Relations.

Target or Target Set

A Target is a unique identifier, not necessarily tied to a Namespace. A Target Set is a group or set of users/entities related by a unique identifier, a Namespace, and a Relation Definition.

Like a Resource, a Target looks as follows:

  • any identifier: e.g. lisa or 4179af14-f0c0-135-88fd-5570c7bf6f59
  • any object: e.g. fb83c013-3060-41f4-9590-d3233a67938f, descope/java-sdk or ajUc9kJ

The Target Set:

  • a group or a set of users (also called a userset): e.g. organization#members, which represents the set of users related to the object as member

Relation

An tuple consisting of a Target or Target Set, Relation Definition, and Resource stored in Descope&aposs FGA service.

A Relation consists of a:

  • Target or Target Set, e.g. anne, 3f7768e0-4fa7-4e93-8417-4da68ce1846c, descope
  • Target Type, eg. user, group#member, folder#editor
  • Relation, e.g. editor, member or parent_workspace
  • Resource, e.g note-1, descope.com or marketing
  • Resource Type, eg. note, site, org

An authorization Schema together with Relations, allow the determination of whether a relationship exists between a Target and a Resource.

Throughout the documentation, you will encounter Relations represented as:

Relation("n1", "note, "can_view", "u1", "user")

Direct and Implied Relations

A direct relationship between user X and object Y means the Relation (target=X, relation definition=R, resource=Y) exists, and the Descope FGA authorization model for that relation allows this direct relationship.

An implied (or computed) relationship exists between target X and resource Y if target X is related to a resource Z that is in a direct or implied relationship with resource Y, and the Descope FGA authorization model allows it.

Was this helpful?

Previous

Google Docs

Next

Defining a Schema

On this page

ConceptsSchemaTypeRelation DefinitionsResourceTarget or Target SetRelationDirect and Implied Relations