ReBAC (Relationship-Based Access Control)
cidaas ReBAC uses Relation Store APIs to store authorization graphs: object types, relations, permissions, and relationship tuples. The policy-management-srv admin APIs manage schema and tuples; policy-decision-srv evaluates ReBAC builtins inside Rego policies.
See AuthZEN Fine-Grained Authorization for architecture. OpenAPI: ReBAC endpoints.
Concepts
| Term | Description |
|---|---|
| Schema | Definition of object types, relations, and derived permissions |
| Tuple | A relationship edge, for example document:readme#editor@user:bob |
| Permission | Computed access derived from relations (for example view = owner + editor + viewer) |
| Caveat | Conditional tuple with contextual parameters |
Example schema
definition user {}
definition document {
relation owner: user
relation editor: user
relation viewer: user
permission edit = owner + editor
permission view = owner + editor + viewer
}
Example tuples
document:readme#owner@user:alice
document:readme#editor@user:bob
project:authzen#member@user:carol
Schema Administration
| API | Description | Link |
|---|---|---|
| Read schema | Current tenant schema and version metadata | View API |
| Write schema | Apply schema text; optional validate (default true) | View API |
Write request:
{
"schema": "definition user {}\ndefinition document { relation owner: user permission view = owner }",
"validate": true
}
Relationship Administration
Write relationships
POST /policy-management-srv/admin/rebac/relationships
Supports structured tuples or Zed tuple strings. Operations: TOUCH (upsert), CREATE, DELETE.
{
"operations": [
{
"op": "TOUCH",
"tuple": "document:readme#editor@user:bob"
}
],
"preconditions": [
{
"filter": "document:readme#owner@user:*",
"must": "MUST_MATCH"
}
]
}
| API | Description | Link |
|---|---|---|
| Write relationships | Create, touch, or delete tuples | View API |
| Query relationships | Filter by resource, relation, subject | View API |
| Delete relationships | Bulk delete by filter | View API |
Query example
{
"filter": {
"resourceType": "document",
"relation": "editor"
},
"optionalLimit": 100
}
Response tuples are returned as Zed-format strings in data.tuples.
Using ReBAC in Rego Policies
During evaluation on policy-decision-srv, Rego policies can call ReBAC builtins that delegate to policy-management-srv ReBAC APIs:
| Rego function | Purpose |
|---|---|
rebac.has_relation(body) | Check whether a relation or permission holds |
rebac.lookup_resources(body) | Find resources for a subject and permission |
rebac.lookup_subjects(body) | Find subjects for a resource and permission |
rebac.expand(body) | Expand permission tree |
rebac.has_relation_with_context(body) | Relation check with caveat context |
Example:
package authzen
import rego.v1
default allow := false
allow if {
resp := rebac.has_relation({
"resource": input.resource.id,
"permission": input.action.name,
})
resp.allowed == true
}
Scopes and Roles
| Operation | Scopes |
|---|---|
| Read schema / query tuples | cidaas:authzen_rebac_read, cidaas:authzen_read, cidaas:authzen_management |
| Write schema / write tuples | cidaas:authzen_rebac_write, cidaas:authzen_write, cidaas:authzen_management |
| Delete tuples | cidaas:authzen_delete, cidaas:authzen_management |
Requires an eligible role in the CIDAAS_ADMINS group (POLICY_READ, POLICY_CREATE, POLICY_DELETE, AUTHZEN_MANAGER, or admin roles).
Please contact us on our support page or reach out to cidaas support at [email protected].