ReBAC support

[coopbri]

Following up from convo in Discord:

Relationship-based access control (ReBAC) is an access control model where permissions are granted based on the relationships between entities (e.g. users, resources, groups), beyond roles and attributes. This is used in production by companies like Google (e.g. for Google Docs sharing permissions), and enables convenient use case fulfillment such as automatic relations/authZ based on nested attributes resulting from an authZ graph (typically directed).

See Google Zanzibar paper for reference implementation

Reading/references:

• https://cspages.ucalgary.ca/~pwlfong/Pub/codaspy2011.pdf
• https://dl.acm.org/doi/10.1145/1943513.1943539
• https://www.researchgate.net/publication/236136712_A_New_Access_Control_Scheme_for_Facebook-Style_Social_Networks
• https://www.osohq.com/academy/relationship-based-access-control-rebac
• https://permify.co/post/relationship-based-access-control-rebac
• https://aws.amazon.com/blogs/database/graph-powered-authorization-relationship-based-access-control-for-access-management
• https://docs.permit.io/how-to/build-policies/rebac/overview
• https://www.permit.io/blog/custom-policies

With ReBAC support, this plugin would allow BA to become a one-stop shop for every mainstream authZ use case!

[cnbrown04]

I think the implementation already has almost everything for ReBAC, take a look at the implementation and see what is needed to be added. I don't have a lot of experience with ReBAC.

@coopbri Resources, users, etc are already implemented, not sure what else would be needed for the ReBAC implementation as well.