You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: app/best-practices/page.mdx
+4-5Lines changed: 4 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -105,15 +105,14 @@ You should be testing the logic of your schema to ensure that it behaves the way
105
105
Tags: **schema**
106
106
107
107
If an authorization concept can be expressed using relations, it should be.
108
-
We provide caveats as an escape hatch; they should only be used for context that’s only available at request time, or else ABAC logic that cannot be expressed in terms of relationships.
108
+
We provide caveats as an escape hatch; they should only be used for context that’s only available at request time, or for ABAC logic that cannot be expressed in terms of relationships.
109
109
110
-
This is because caveats come with a performance penalty.
111
-
A caveated relationship is both harder to cache and also slows down computation of the graph walk required to compute a permission.
110
+
This is because caveats come with a performance penalty: a caveated relationship is both harder to cache and also slows down computation of the graph walk required to compute a permission.
112
111
113
112
Some examples:
114
113
115
-
- A banlist - this could be expressed as a list in caveat context, but it can also be expressed as a relation with negation.
116
-
- A notion of public vs internal - boolean flags seem like an obvious caveat use case, but they can also be expressed using self relations.
114
+
- A banlist - this could be expressed as a list in caveat context, but it can also be expressed as a relation with [exclusion](https://authzed.com/docs/spicedb/concepts/schema#--exclusion).
115
+
- A notion of public vs internal - boolean flags seem like an obvious caveat use case, but they can also be expressed using [loop relationships](https://authzed.com/docs/spicedb/modeling/attributes#loop-relationships).
117
116
- Dynamic roles - these could be expressed as a list in caveats, and it’s not immediately obvious how to build them into a SpiceDB schema, but our [Google Cloud IAM example](https://authzed.com/blog/google-cloud-iam-modeling) shows how it’s possible.
Copy file name to clipboardExpand all lines: app/spicedb/modeling/attributes/page.mdx
+13-18Lines changed: 13 additions & 18 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,49 +5,44 @@ import { Callout } from "nextra/components";
5
5
6
6
If you are migrating to SpiceDB from a pre-existing authorization system, it's likely that attributes play a part in your authorization evaluations.
7
7
8
-
SpiceDB is a Relationship Based Access control system.
9
-
This gives SpiceDB the flexibility to evaluate attributes for access control alongside more complicated access control logic like roles and/or relationships.
8
+
SpiceDB can evaluate attributes for access control decisions alongside more complicated access control logic like roles and/or relationships.
10
9
11
10
The sections below will provide practical examples for implementing various kinds of attributes in the SpiceDB schema language.
12
11
Before reading this guide, it's recommended that you have some familiarity with the SpiceDB schema language.
13
12
[This guide](/spicedb/modeling/developing-a-schema) is a good place to start.
14
13
15
14
## Boolean Attributes
16
15
17
-
A boolean attribute is an attribute on an object that affects authorization by enabling or disabling an authorization setting.
18
-
Boolean attributes can often be thought of as a toggle.
19
-
Feature flag authorization can be enabled with boolean attributes.
16
+
A boolean or binary attribute is an attribute on an object that can affect authorization.
17
+
Boolean attributes can often be thought of as a toggle. For example, feature flag authorization can be enabled with boolean attributes.
20
18
21
19
### Loop Relationships
22
20
23
21
Loop relationships are one way to implement boolean attributes.
24
22
25
-
In the example below, there is a schema that enforces the following authorization logic: a user can
26
-
only view a document if the user is related to the document as viewer and editing is enabled for the
27
-
document (this is the same authorization logic used in the wildcard example below).
23
+
In the example below, there is a schema that enforces the following authorization logic: a `user` can
24
+
only `view` a `document` if a) the `user` is related to the document as `editor`, and b) if editing is enabled for the
25
+
`document`.
28
26
29
-
In the example below, to enable editing for a document, a loop relationship using the `edit_enabled` relation must be written.
27
+
To enable editing for a document, a loop relationship using the `edit_enabled` relation must be written.
30
28
When a `document` is related to itself with the `edit_enabled` relation, that relation can be walked to itself
31
29
(with the arrow) to determine who relates to the document as an `editor`.
32
30
33
-
In summary, a `user` has permission to edit a `document` if they are related to that document as an `editor`
34
-
and that document is related to itself with `edit_enabled`.
35
-
36
31
<InlinePlaygroundreference="ifgMyLGN-Hjw" />
37
32
38
33
<Callouttype="warning">
39
34
There is no mechanism in the SpiceDB schema language that enforces that a relation be used as a
40
-
loop relation. In order to avoid accidentally misusing a loop relation (e.g. relating an object to
41
-
a different instance of the same type) it is recommended to implement client side logic that
42
-
enforces only using the loop relation for its intended purpose.
35
+
loop relation. In order to avoid accidentally misusing a loop relation (e.g. by writing the
36
+
relationship like `document:1#edit_enabled@document:2`) it is recommended to implement client side
37
+
logic that enforces only using the loop relation for its intended purpose.
43
38
</Callout>
44
39
45
40
### Wildcards
46
41
47
-
[Wildcards](/spicedb/concepts/schema#wildcards) are a way to implement boolean attributes.
42
+
[Wildcards](/spicedb/concepts/schema#wildcards) are another way to implement boolean attributes.
48
43
Wildcards modify a type so that a relationship can be written to all objects of a resource type but not individual objects.
49
44
50
-
In the example below, the schema enforces the following authorization logic: a user will have `edit` permission on the document if they are related to the document as an `editor` and they relate to the document through `edit_enabled`.
45
+
In the example below, the schema enforces the following authorization logic: a `user` will have `edit` permission on the document if a)they are related to the document as an `editor` and, b) they relate to the document through `edit_enabled`.
51
46
Both are required because `editor` and `edit_enabled` are [intersected](/spicedb/concepts/schema#-intersection) at the `edit` permission definition.
52
47
To enable document editing, you need to establish a relationship that connects all users to the document using the `edit_enabled` relation: `document:somedocument#edit_enabled@user:*`.
53
48
@@ -104,4 +99,4 @@ This example is similar to the one above, except it requires that all `country`
104
99
105
100
In almost all cases, [caveats](/spicedb/concepts/caveats) should only be used when data required to evaluate a CheckPermission request is only available at the time of the request (e.g. user's current location or time of day).
106
101
Using caveats for static data (e.g. a document's status) can have negative performance impacts.
107
-
Static attribute data should always be modeled in the schema using patterns similar to those described above.
102
+
Static attribute data should always be modeled in the schema using the patterns described above.
0 commit comments