Skip to content

Commit 9f12c56

Browse files
slavikmslavikm
authored
Added authz support for mgmt (#309)
* Added authz support for mgmt * Fixed README * Fixed default arguments * Fixed dict type for body * Fixed dict type for body II
1 parent a1c2f46 commit 9f12c56

File tree

7 files changed

+1456
-1
lines changed

7 files changed

+1456
-1
lines changed

README.md

Lines changed: 178 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -66,7 +66,8 @@ These sections show how to use the SDK to perform permission and user management
6666
9. [Manage JWTs](#manage-jwts)
6767
10. [Embedded links](#embedded-links)
6868
11. [Search Audit](#search-audit)
69-
12. [Manaage Project](#manage-project)
69+
12. [Manage ReBAC Authz](#manage-rebac-authz)
70+
13. [Manaage Project](#manage-project)
7071

7172
If you wish to run any of our code samples and play with them, check out our [Code Examples](#code-examples) section.
7273

@@ -845,6 +846,182 @@ audits = descope_client.mgmt.audit.search(
845846
audits = descope_client.mgmt.audit.search(actions=["LoginSucceed"])
846847
```
847848

849+
### Manage ReBAC Authz
850+
851+
Descope supports full relation based access control (ReBAC) using a zanzibar like schema and operations.
852+
A schema is comprized of namespaces (entities like documents, folders, orgs, etc.) and each namespace has relation definitions to define relations.
853+
Each relation definition can be simple (either you have it or not) or complex (union of nodes).
854+
855+
A simple example for a file system like schema would be:
856+
857+
```yaml
858+
# Example schema for the authz tests
859+
name: Files
860+
namespaces:
861+
- name: org
862+
relationDefinitions:
863+
- name: parent
864+
- name: member
865+
complexDefinition:
866+
nType: union
867+
children:
868+
- nType: child
869+
expression:
870+
neType: self
871+
- nType: child
872+
expression:
873+
neType: relationLeft
874+
relationDefinition: parent
875+
relationDefinitionNamespace: org
876+
targetRelationDefinition: member
877+
targetRelationDefinitionNamespace: org
878+
- name: folder
879+
relationDefinitions:
880+
- name: parent
881+
- name: owner
882+
complexDefinition:
883+
nType: union
884+
children:
885+
- nType: child
886+
expression:
887+
neType: self
888+
- nType: child
889+
expression:
890+
neType: relationRight
891+
relationDefinition: parent
892+
relationDefinitionNamespace: folder
893+
targetRelationDefinition: owner
894+
targetRelationDefinitionNamespace: folder
895+
- name: editor
896+
complexDefinition:
897+
nType: union
898+
children:
899+
- nType: child
900+
expression:
901+
neType: self
902+
- nType: child
903+
expression:
904+
neType: relationRight
905+
relationDefinition: parent
906+
relationDefinitionNamespace: folder
907+
targetRelationDefinition: editor
908+
targetRelationDefinitionNamespace: folder
909+
- nType: child
910+
expression:
911+
neType: targetSet
912+
targetRelationDefinition: owner
913+
targetRelationDefinitionNamespace: folder
914+
- name: viewer
915+
complexDefinition:
916+
nType: union
917+
children:
918+
- nType: child
919+
expression:
920+
neType: self
921+
- nType: child
922+
expression:
923+
neType: relationRight
924+
relationDefinition: parent
925+
relationDefinitionNamespace: folder
926+
targetRelationDefinition: viewer
927+
targetRelationDefinitionNamespace: folder
928+
- nType: child
929+
expression:
930+
neType: targetSet
931+
targetRelationDefinition: editor
932+
targetRelationDefinitionNamespace: folder
933+
- name: doc
934+
relationDefinitions:
935+
- name: parent
936+
- name: owner
937+
complexDefinition:
938+
nType: union
939+
children:
940+
- nType: child
941+
expression:
942+
neType: self
943+
- nType: child
944+
expression:
945+
neType: relationRight
946+
relationDefinition: parent
947+
relationDefinitionNamespace: doc
948+
targetRelationDefinition: owner
949+
targetRelationDefinitionNamespace: folder
950+
- name: editor
951+
complexDefinition:
952+
nType: union
953+
children:
954+
- nType: child
955+
expression:
956+
neType: self
957+
- nType: child
958+
expression:
959+
neType: relationRight
960+
relationDefinition: parent
961+
relationDefinitionNamespace: doc
962+
targetRelationDefinition: editor
963+
targetRelationDefinitionNamespace: folder
964+
- nType: child
965+
expression:
966+
neType: targetSet
967+
targetRelationDefinition: owner
968+
targetRelationDefinitionNamespace: doc
969+
- name: viewer
970+
complexDefinition:
971+
nType: union
972+
children:
973+
- nType: child
974+
expression:
975+
neType: self
976+
- nType: child
977+
expression:
978+
neType: relationRight
979+
relationDefinition: parent
980+
relationDefinitionNamespace: doc
981+
targetRelationDefinition: viewer
982+
targetRelationDefinitionNamespace: folder
983+
- nType: child
984+
expression:
985+
neType: targetSet
986+
targetRelationDefinition: editor
987+
targetRelationDefinitionNamespace: doc
988+
```
989+
990+
Descope SDK allows you to fully manage the schema and relations as well as perform simple (and not so simple) checks regarding the existence of relations.
991+
992+
```python
993+
# Load the existing schema
994+
schema = descope_client.mgmt.authz.load_schema()
995+
996+
# Save schema and make sure to remove all namespaces not listed
997+
descope_client.mgmt.authz.save_schema(schema, True)
998+
999+
# Create a relation between a resource and user
1000+
descope_client.mgmt.authz.create_relations(
1001+
[
1002+
{
1003+
"resource": "some-doc",
1004+
"relationDefinition": "owner",
1005+
"namespace": "doc",
1006+
"target": "u1",
1007+
}
1008+
]
1009+
)
1010+
1011+
# Check if target has the relevant relation
1012+
# The answer should be true because an owner is also a viewer
1013+
relations = descope_client.mgmt.authz.has_relations(
1014+
[
1015+
{
1016+
"resource": "some-doc",
1017+
"relationDefinition": "viewer",
1018+
"namespace": "doc",
1019+
"target": "u1",
1020+
}
1021+
]
1022+
)
1023+
```
1024+
8481025
### Manage Project
8491026

8501027
You can change the project name, as well as to clone the current project to a new one.

0 commit comments

Comments
 (0)