| sidebar_position | slug | description |
|---|---|---|
3 |
/interacting/managing-group-access |
Granting a group of users access to a particular object |
import { AuthzModelSnippetViewer, CardBox, CheckRequestViewer, DocumentationNotice, ProductConcept, RelatedSection, RelationshipTuplesViewer, ProductName, ProductNameFormat, WriteRequestViewer, } from '@components/Docs';
In this guide you will learn how to grant a group of users access to a particular object.
Adding a relationship tuple specifying that a group has a relation to an object is helpful in cases where you want to encompass a set of users with the same relation to an object. For example:
- Grant a group of
engineersvieweraccess toroadmap.doc - Create a
block_listofmemberswho can't access adocument - Sharing a
documentwith ateam - Granting
vieweraccess to aphototofollowersonly - Making a
fileviewable for alluserswithin anorganization - Restricting access from or to
usersin a certainlocale
In order to understand this guide correctly you must be familiar with some and know how to develop the things that we will list below.
Assume that you have the following .
You have two :
company that can have a employee relationdocument that can have a reader relation.
You have two :
company that can have a employee relationdocument that can have a reader relation.<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'company', relations: { employee: { this: {}, }, }, metadata: { relations: { employee: { directly_related_user_types: [{ type: 'user' }] }, }, }, }, { type: 'document', relations: { reader: { this: {}, }, }, metadata: { relations: { reader: { directly_related_user_types: [{ type: 'company', relation: 'employee' }] }, }, }, }, ], }} />
In addition, you will need to know the following:
You need to know how to add users to groups and grant groups access to an object. Learn more →
- A : a class of objects that have similar characteristics
- A : an entity in the system that can be related to an object
- A : is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
- An : represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
- A : a grouping consisting of a user, a relation and an object stored in
If we want to have every employee of a type company have a reader relationship with a particular object of type document (in this case document:planning), we need to add a tuple like so:
<RelationshipTuplesViewer relationshipTuples={[ { _description: 'Every employee in the company can read document:planning', user: 'company:xyz#employee', relation: 'reader', object: 'document:planning', }, ]} />
If we also write a tuple that says that Anne is a employee of company:xyz, like so:
<WriteRequestViewer relationshipTuples={[ { user: 'user:anne', relation: 'employee', object: 'company:xyz', }, ]} />
Then a call to the Check API to see whether Anne can read document:planning will return true:
<CheckRequestViewer user={'user:anne'} relation={'reader'} object={'document:planning'} allowed={true} />
The same check for a different user Becky, however, will return false, because Becky does not have an employee relationship with company:xyz:
<CheckRequestViewer user={'user:becky'} relation={'reader'} object={'document:planning'} allowed={false} />
<RelatedSection description="Check the following sections for more on how to model group." relatedLinks={[ { title: 'Modeling User Groups', description: 'Learn about how to model users and groups.', link: '../modeling/user-groups', id: '../modeling/user-groups.mdx', }, { title: 'Managing Group Membership', description: 'Learn about managing group membership.', link: './managing-group-membership', id: './managing-group-membership.mdx', }, ]} />