ReBAC (Relationship-Based Access Control)
cidaas ReBAC uses Relation Store to store authorization graphs: object types, relations, permissions, and relationship tuples.
| Service | Role |
|---|---|
| policy-management-srv | Admin APIs — live schema, tuples, import/export, catalog, caveat parameters, graph visualization |
| rebac-srv | Runtime APIs — permission checks and lookups invoked by PDP rebac.* Rego builtins |
| policy-decision-srv | Evaluates Rego policies that call ReBAC builtins (delegates to rebac-srv) |
See AuthZEN Fine-Grained Authorization for architecture.
OpenAPI: Policy Management ReBAC · ReBAC runtime
Concepts
| Term | Description |
|---|---|
| Schema | Definition of object types, relations, and derived permissions |
| Tuple | A relationship edge, for example document:readme#editor@user:bob |
| Permission | Computed access derived from relations (for example view = owner + editor + viewer) |
| Caveat | Conditional tuple with contextual parameters |
| Catalog | Versioned Mongo-backed snapshots of schemas, tuples, and caveat params (separate from live Relation Store writes) |
Example schema
definition user {}
definition document {
relation owner: user
relation editor: user
relation viewer: user
permission edit = owner + editor
permission view = owner + editor + viewer
}
Example tuples
document:readme#owner@user:alice
document:readme#editor@user:bob
project:authzen#member@user:carol
Live Schema Administration
| API | Description | Link |
|---|---|---|
| Read schema | Current tenant schema and version metadata | View API |
| Write schema | Apply schema text; optional validate (default true) | View API |
| Dry-run schema | Validate schema without applying | View API |
| List schema versions | Named live schema versions | View API |
| Create schema version | Create a named schema version | View API |
| Get schema version | Fetch a version by ID | View API |
| Activate schema version | Apply a stored version as the live schema | View API |
| Graph schema | Schema as a visualization graph | View API |
Write request:
{
"schema": "definition user {}\ndefinition document { relation owner: user permission view = owner }",
"validate": true
}
Relationship Administration
tuple API (admin)
POST /policy-management-srv/admin/rebac/relationships
Supports structured tuples or tuple strings. Operations: TOUCH (upsert), CREATE, DELETE.
{
"operations": [
{
"op": "TOUCH",
"tuple": "document:readme#editor@user:bob"
}
],
"preconditions": [
{
"filter": "document:readme#owner@user:*",
"must": "MUST_MATCH"
}
]
}
| API | Description | Link |
|---|---|---|
| Write relationships | Create, touch, or delete tuples | View API |
| Query relationships | Filter by resource, relation, subject | View API |
| Delete relationships | Bulk delete by filter | View API |
| Import relationships | Bulk import from text or JSON | View API |
| Export relationships | Export tuples as text | View API |
Structured Relation Store API
For structured objects, use the relationships/write and relationships/read endpoints with object_type / object_id references.
| API | Description | Link |
|---|---|---|
| Write structured | updates array with operation and relationship | View API |
| Read structured | Filter by relationship_filter | View API |
Query example
{
"filter": {
"resourceType": "document",
"relation": "editor"
},
"optionalLimit": 100
}
Response tuples are returned as strings in data.tuples.
Runtime Permission APIs (rebac-srv)
At evaluation time, rebac-srv serves read-only permission APIs. The same check and lookup-resources endpoints are also available on policy-management-srv for admin tooling.
| API | Service | Description | Link |
|---|---|---|---|
| Check permission | rebac-srv | Whether a subject has a permission on a resource | View API |
| Lookup resources | rebac-srv | Resource IDs a subject can access | View API |
| Lookup subjects | rebac-srv | Subject IDs with permission on a resource | View API |
| Expand permission tree | rebac-srv | Debug permission expansion at runtime | View API |
| Expand permission tree | policy-management-srv | Admin graph expansion | View API |
Check request example:
{
"resource": { "object_type": "document", "object_id": "readme" },
"permission": "view",
"subject": {
"object": { "object_type": "user", "object_id": "alice" }
}
}
Caveat Parameters
Store contextual caveat parameter values referenced by conditional tuples.
| API | Description | Link |
|---|---|---|
| Create caveat param | POST .../caveats/{caveatName}/params | View API |
| Get caveat param | Fetch by caveat name and parameter key | View API |
| Patch caveat param | Update parameter value | View API |
| Delete caveat param | Remove parameter | View API |
ReBAC Catalog
The catalog stores versioned ReBAC artifacts in Mongo for export/import and change history. Catalog entries are separate from live Relation Store writes.
| Resource | List | Create |
|---|---|---|
| Schemas | List | Create |
| Relationship tuples | List | Create |
| Caveat parameters | List | Create |
Each catalog resource also supports get, update, and delete by document ID.
Using ReBAC in Rego Policies
During evaluation on policy-decision-srv, Rego policies can call ReBAC builtins that delegate to rebac-srv. Each builtin accepts a JSON body (same shape as the rebac-srv API) and returns the response data object.
| Rego function | rebac-srv route | Purpose |
|---|---|---|
rebac.has_relation(body) | permissions/check | Check whether a relation or permission holds |
rebac.lookup_resources(body) | permissions/lookup-resources | Find resources for a subject and permission |
rebac.lookup_subjects(body) | permissions/lookup-subjects | Find subjects for a resource and permission |
rebac.expand(body) | graph/expand | Expand permission tree |
rebac.has_relation_with_context(body) | permissions/check | Relation check with caveat context in the body |
Example:
package authzen
import rego.v1
default allow := false
# Allow when the subject owns the resource, OR ReBAC grants the permission.
allow if {
input.subject.id == input.resource.properties.owner_id
}
allow if {
resp := rebac.has_relation({
"resource": {"object_type": input.resource.type, "object_id": input.resource.id},
"permission": input.action.name,
"subject": {"object": {"object_type": input.subject.type, "object_id": input.subject.id}},
})
resp.permissionship == "PERMISSIONSHIP_HAS_PERMISSION"
}
Scopes and Roles
| Operation | Scopes |
|---|---|
| Read schema / query tuples / runtime checks | cidaas:authzen_rebac_read, cidaas:authzen_read |
| Write schema / write tuples | cidaas:authzen_rebac_write, cidaas:authzen_write |
| Delete tuples / catalog entries | cidaas:authzen_delete |
Requires an eligible role in the CIDAAS_ADMINS group (POLICY_READ, POLICY_CREATE, POLICY_DELETE, AUTHZEN_MANAGER, or admin roles).
Please contact us on our support page or reach out to cidaas support at [email protected].