Skip to main content
Version: 3.102.8

ReBAC (Relationship-Based Access Control)

cidaas ReBAC uses Relation Store to store authorization graphs: object types, relations, permissions, and relationship tuples.

ServiceRole
policy-management-srvAdmin APIs — live schema, tuples, import/export, catalog, caveat parameters, graph visualization
rebac-srvRuntime APIs — permission checks and lookups invoked by PDP rebac.* Rego builtins
policy-decision-srvEvaluates Rego policies that call ReBAC builtins (delegates to rebac-srv)

See AuthZEN Fine-Grained Authorization for architecture.

OpenAPI: Policy Management ReBAC · ReBAC runtime

Concepts

TermDescription
SchemaDefinition of object types, relations, and derived permissions
TupleA relationship edge, for example document:readme#editor@user:bob
PermissionComputed access derived from relations (for example view = owner + editor + viewer)
CaveatConditional tuple with contextual parameters
CatalogVersioned Mongo-backed snapshots of schemas, tuples, and caveat params (separate from live Relation Store writes)

Example schema


definition user {}

definition document {

relation owner: user
relation editor: user
relation viewer: user

permission edit = owner + editor
permission view = owner + editor + viewer

}

Example tuples


document:readme#owner@user:alice

document:readme#editor@user:bob

project:authzen#member@user:carol

Live Schema Administration

APIDescriptionLink
Read schemaCurrent tenant schema and version metadataView API
Write schemaApply schema text; optional validate (default true)View API
Dry-run schemaValidate schema without applyingView API
List schema versionsNamed live schema versionsView API
Create schema versionCreate a named schema versionView API
Get schema versionFetch a version by IDView API
Activate schema versionApply a stored version as the live schemaView API
Graph schemaSchema as a visualization graphView API

Write request:


{
"schema": "definition user {}\ndefinition document { relation owner: user permission view = owner }",
"validate": true
}

Relationship Administration

tuple API (admin)

POST /policy-management-srv/admin/rebac/relationships

Supports structured tuples or tuple strings. Operations: TOUCH (upsert), CREATE, DELETE.


{
"operations": [
{
"op": "TOUCH",
"tuple": "document:readme#editor@user:bob"
}
],
"preconditions": [
{
"filter": "document:readme#owner@user:*",
"must": "MUST_MATCH"
}
]
}

APIDescriptionLink
Write relationshipsCreate, touch, or delete tuplesView API
Query relationshipsFilter by resource, relation, subjectView API
Delete relationshipsBulk delete by filterView API
Import relationshipsBulk import from text or JSONView API
Export relationshipsExport tuples as textView API

Structured Relation Store API

For structured objects, use the relationships/write and relationships/read endpoints with object_type / object_id references.

APIDescriptionLink
Write structuredupdates array with operation and relationshipView API
Read structuredFilter by relationship_filterView API

Query example


{
"filter": {
"resourceType": "document",
"relation": "editor"
},

"optionalLimit": 100
}

Response tuples are returned as strings in data.tuples.

Runtime Permission APIs (rebac-srv)

At evaluation time, rebac-srv serves read-only permission APIs. The same check and lookup-resources endpoints are also available on policy-management-srv for admin tooling.

APIServiceDescriptionLink
Check permissionrebac-srvWhether a subject has a permission on a resourceView API
Lookup resourcesrebac-srvResource IDs a subject can accessView API
Lookup subjectsrebac-srvSubject IDs with permission on a resourceView API
Expand permission treerebac-srvDebug permission expansion at runtimeView API
Expand permission treepolicy-management-srvAdmin graph expansionView API

Check request example:


{
"resource": { "object_type": "document", "object_id": "readme" },
"permission": "view",
"subject": {
"object": { "object_type": "user", "object_id": "alice" }
}
}

Caveat Parameters

Store contextual caveat parameter values referenced by conditional tuples.

APIDescriptionLink
Create caveat paramPOST .../caveats/{caveatName}/paramsView API
Get caveat paramFetch by caveat name and parameter keyView API
Patch caveat paramUpdate parameter valueView API
Delete caveat paramRemove parameterView API

ReBAC Catalog

The catalog stores versioned ReBAC artifacts in Mongo for export/import and change history. Catalog entries are separate from live Relation Store writes.

ResourceListCreate
SchemasListCreate
Relationship tuplesListCreate
Caveat parametersListCreate

Each catalog resource also supports get, update, and delete by document ID.

Using ReBAC in Rego Policies

During evaluation on policy-decision-srv, Rego policies can call ReBAC builtins that delegate to rebac-srv. Each builtin accepts a JSON body (same shape as the rebac-srv API) and returns the response data object.

Rego functionrebac-srv routePurpose
rebac.has_relation(body)permissions/checkCheck whether a relation or permission holds
rebac.lookup_resources(body)permissions/lookup-resourcesFind resources for a subject and permission
rebac.lookup_subjects(body)permissions/lookup-subjectsFind subjects for a resource and permission
rebac.expand(body)graph/expandExpand permission tree
rebac.has_relation_with_context(body)permissions/checkRelation check with caveat context in the body

Example:


package authzen

import rego.v1

default allow := false

# Allow when the subject owns the resource, OR ReBAC grants the permission.
allow if {
input.subject.id == input.resource.properties.owner_id
}

allow if {
resp := rebac.has_relation({
"resource": {"object_type": input.resource.type, "object_id": input.resource.id},
"permission": input.action.name,
"subject": {"object": {"object_type": input.subject.type, "object_id": input.subject.id}},
})

resp.permissionship == "PERMISSIONSHIP_HAS_PERMISSION"
}

Scopes and Roles

OperationScopes
Read schema / query tuples / runtime checkscidaas:authzen_rebac_read, cidaas:authzen_read
Write schema / write tuplescidaas:authzen_rebac_write, cidaas:authzen_write
Delete tuples / catalog entriescidaas:authzen_delete

Requires an eligible role in the CIDAAS_ADMINS group (POLICY_READ, POLICY_CREATE, POLICY_DELETE, AUTHZEN_MANAGER, or admin roles).

warning
Need Support?

Please contact us on our support page or reach out to cidaas support at [email protected].