| title | description | sidebar_position | slug |
|---|---|---|---|
Slack |
Modeling authorization for Slack |
4 |
/modeling/advanced/slack |
import { AuthzModelSnippetViewer, CardBox, CheckRequestViewer, DocumentationNotice, IntroductionSection, Playground, ProductConcept, ProductName, ProductNameFormat, WriteRequestViewer, } from '@components/Docs';
This tutorial explains how to model permissions for a communication platform like Slack using .
- How to indicate relationships between a group of and an .
Used here to indicate that all members of a slack workspace can write in a certain channel.
See Modeling User Groups for more. - How to Model concentric relationship to have a certain on an object imply another relation on the same object.
Used here to indicate that legacy admins have all the permissions of the more granular channels admin.
See Modeling Concentric Relationships for more. - How to use the union operator condition to indicate that a user might have a certain relation with an object if they match any of the criteria indicated.
In order to understand this guide correctly you must be familiar with some concepts and know how to develop the things that we will list below.
It would be helpful to have an understanding of some concepts of before you start.
You need to know how to create an authorization model and create a relationship tuple to grant a user access to an object. Learn more →
You need to know how to update the authorization model to allow having nested relations such as all writers are readers. Learn more →
- Some
- Modeling Language
Slack is a messaging app for businesses that connects people to the information they need. By bringing people together to work as one unified team, Slack transforms the way organizations communicate. (Source: What is Slack?)
In this tutorial, you will build a subset of the Slack permission model (detailed below) in , using some scenarios to validate the model.
As reference, you can refer to Slack's publicly available docs:
Note: For brevity, this tutorial will not model all of Slack's permissions. Instead, it will focus on modeling the scenarios outlined below.
This tutorial will focus on the following sections (this is a partial list of Slack's roles):
Workspace Roles:
- Guest: This type of user is limited in their ability to use Slack, and is only permitted to see one or multiple delegated channels.
- Member: This is the base type of user that does not have any particular administrative abilities, but has basic access to the organization's Slack workspaces. When an administrative change needs to be made, these users need the support of admins and owners to make the changes.
- Legacy Admin: This type of user is the basic administrator of any organization, and can make a wide variety of administrative changes across Slack, such as renaming channels, archiving channels, setting up preferences and policies, inviting new users, and installing applications. Users with this role perform the majority of administrative tasks across a team.
System Roles:
- Channels Admin: This type of user has the permission to archive channels, rename channels, create private channels, and convert public channels into private channels.
Channel Settings:
- Visibility:
- Public: Visible to all members and open to join
- Private: Visible to admins and invited members
- Posting Permissions:
- Open: Anyone can post
- Limited: Only allowed members can post
Use the following scenarios to be able to validate whether the model of the requirements is correct.
There will be the following users:
- Amy
- Bob
- Catherine
- David
- Emily
These users will interact in the following scenarios:
- You will assume there is a Slack workspace called Sandcastle
- Amy is a legacy admin of the Sandcastle workspace
- Bob is a member of the Sandcastle workspace with a channels admin role (Read more about system roles at Slack here)
- Catherine and Emily are normal members of the Sandcastle workspace, they can view all public channels, as well as channels they have been invited to
- David is a guest user with only view and write access to #proj-marketing-campaign, one of the public channels in the Sandcastle workspace
- Bob and Emily are in a private channel #marketing-internal in the Sandcastle workspace which only they can view and post to
- All members of the Sandcastle workspace can view the general channel, but only Amy and Emily can post to it
:::caution
In production, it is highly recommended to use unique, immutable identifiers. Names are used in this article to make it easier to read and follow.
:::
The goal by the end of this post is to ask : Does person X have permission to perform action Y on channel Z? In response, you want to either get a confirmation that person X can indeed do that, or a rejection that they cannot. E.g. does David have access to view #general?
The is based on Zanzibar, a Relation Based Access Control system. This means it relies on and to perform authorization .
Setting aside the permissions, you will start with the roles and learn how to express the requirements in terms of relations you can feed into .
The requirements stated:
- Amy is a legacy admin of the Sandcastle workspace
- Bob is a channels admin of the Sandcastle workspace
- Catherine and Emily are a normal members of the Sandcastle workspace
- David is a guest user
Here is how you would express than in 's : You have a called "workspace", and users can be related to it as a legacy_admin, channels_admin, member and guest
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'workspace', // objects of type workspace relations: { // have users related to them as... legacy_admin: { // Legacy Admins this: {}, }, channels_admin: { // Channels Admin this: {}, }, member: { // Member this: {}, }, guest: { // Guest this: {}, }, }, metadata: { relations: { legacy_admin: { directly_related_user_types: [{ type: 'user' }] }, channels_admin: { directly_related_user_types: [{ type: 'user' }] }, member: { directly_related_user_types: [{ type: 'user' }] }, guest: { directly_related_user_types: [{ type: 'user' }] }, }, }, }] }} />
:::info
Objects of type workspace have users related to them as:
- Legacy Admin (
legacy_admin) - Channels Admin (
channels_admin) - Member (
member) - Guest (
guest)
Direct relationship type restrictions indicate that a user can have a with an object of the type the relation specifies.
:::
To keep things simple and focus on rather than Slack complexity, we will model only four roles (legacy_admin, channels_admin, member, guest).
At the end of this section we want to have the following permissions represented
| User | Relation | Object |
|---|---|---|
| amy | legacy_admin | workspace:sandcastle |
| bob | channels_admin | workspace:sandcastle |
| catherine | member | workspace:sandcastle |
| david | guest | workspace:sandcastle |
| emily | member | workspace:sandcastle |
To represent permissions in we use . For workspace permissions we need to create the following :
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'workspace', relations: { legacy_admin: { this: {}, }, channels_admin: { this: {}, }, member: { this: {}, }, guest: { this: {}, }, }, metadata: { relations: { legacy_admin: { directly_related_user_types: [{ type: 'user' }] }, channels_admin: { directly_related_user_types: [{ type: 'user' }] }, member: { directly_related_user_types: [{ type: 'user' }] }, guest: { directly_related_user_types: [{ type: 'user' }] }, }, }, }, ], }} />
The service determines if a has access to an by if the user has a relation to that object. Let us examine one of those relations in detail:
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type: 'workspace', // objects of type workspace relations: { // have users related to them as... member: { // "member": if those users belong to: this: {}, // the userset of all users related to the document as "member" }, }, metadata: { relations: { member: { directly_related_user_types: [{ type: 'user' }] }, }, }, }} skipVersion={true} />
:::info
The snippet above indicates that objects of type workspace have users related to them as "member" if those users belong to the userset of all users related to the workspace as "member".
This means that a user can be as a member to an object of type "workspace"
:::
If we want to say amy is a legacy_admin of workspace:sandcastle we create this relationship tuple
<WriteRequestViewer relationshipTuples={[ { _description: 'Amy is a Legacy Admin in the Sandcastle workspace', user: 'user:amy', relation: 'legacy_admin', object: 'workspace:sandcastle', }, ]} />
We can now ask "is amy a legacy_admin of workspace:sandcastle?"
<CheckRequestViewer user={'user:amy'} relation={'legacy_admin'} object={'workspace:sandcastle'} allowed={true} />
We can also say that catherine is a member of workspace:sandcastle:
<WriteRequestViewer relationshipTuples={[ { _description: 'Catherine is a Member in the Sandcastle workspace', user: 'user:catherine', relation: 'member', object: 'workspace:sandcastle', }, ]} />
And verify by
<CheckRequestViewer user={'user:catherine'} relation={'member'} object={'workspace:sandcastle'} allowed={true} />
Catherine, on the other hand, is not a legacy_admin of workspace:sandcastle.
<CheckRequestViewer user={'user:catherine'} relation={'legacy_admin'} object={'workspace:sandcastle'} allowed={false} />
Repeat this process for the other relationships
[
{
// Bob is a Channels Admin in the Sandcastle workspace
user: 'user:bob',
relation: 'channels_admin',
object: 'workspace:sandcastle',
},
{
// David is a guest in the Sandcastle workspace
user: 'user:david',
relation: 'guest',
object: 'workspace:sandcastle',
},
{
// Emily is a Member in the Sandcastle workspace
user: 'user:emily',
relation: 'member',
object: 'workspace:sandcastle',
},
]<WriteRequestViewer relationshipTuples={[ { _description: 'Bob is a Channels Admin in the Sandcastle workspace', user: 'user:bob', relation: 'channels_admin', object: 'workspace:sandcastle', }, { _description: 'David is a guest in the Sandcastle workspace', user: 'user:david', relation: 'guest', object: 'workspace:sandcastle', }, { _description: 'Emily is a Member in the Sandcastle workspace', user: 'user:emily', relation: 'member', object: 'workspace:sandcastle', }, ]} />
To verify, we can issue to verify it is working as expected.
<CheckRequestViewer user={'user:amy'} relation={'legacy_admin'} object={'workspace:sandcastle'} allowed={true} />
Let's try to verify the followings:
| User | Object | Relation | Query | Relation? |
|---|---|---|---|---|
amy |
workspace:sandcastle |
legacy_admin |
is amy related to workspace:sandcastle as legacy_admin? |
Yes |
david |
workspace:sandcastle |
legacy_admin |
is david related to workspace:sandcastle as legacy_admin? |
No |
amy |
workspace:sandcastle |
guest |
is amy related to workspace:sandcastle as guest? |
No |
david |
workspace:sandcastle |
guest |
is david related to workspace:sandcastle as guest? |
Yes |
amy |
workspace:sandcastle |
member |
is amy related to workspace:sandcastle as member? |
No |
david |
workspace:sandcastle |
member |
is david related to workspace:sandcastle as member? |
No |
Some of the queries that you ran earlier, while returning the correct response, do not match reality. One of which is:
<CheckRequestViewer user={'user:amy'} relation={'member'} object={'workspace:sandcastle'} allowed={false} />
As you saw before, running this query will return amy is not a member of workspace:sandcastle, which is correct based on the data you have given so far. But in reality, Amy, who is a legacy_admin already has an channels_admin and member relations. In fact anyone (other than a guest) is a member of the workspace.
To change this behavior, we will update our system with a concentric relationship model.
With the following updated , you are informing that any user who is related to a workspace as legacy_admin, is also related as a channels_admin and a member .
<AuthzModelSnippetViewer
configuration={{
schema_version: '1.1',
type_definitions: [
{
type: 'user',
},
{
type: 'workspace',
relations: {
legacy_admin: {
this: {},
},
channels_admin: {
// users related to workspace as channels_admin are
union: {
// the union (any of):
child: [
{
this: {}, // the set of users with a direct channels_admin relation
},
{
computedUserset: {
// the set of users related to the workspace as legacy_admin
relation: 'legacy_admin',
},
},
],
},
},
member: {
// users related to workspace as member are
union: {
// the union (any of):
child: [
{
this: {}, // the set of users with a direct member relation
},
{
computedUserset: {
// the set of users related to the workspace as channels_admin
relation: 'channels_admin',
},
},
{
computedUserset: {
// the set of users related to the workspace as legacy_admin
relation: 'legacy_admin',
},
},
],
},
},
guest: {
this: {},
},
},
metadata: {
relations: {
legacy_admin: { directly_related_user_types: [{ type: 'user' }] },
channels_admin: { directly_related_user_types: [{ type: 'user' }] },
member: { directly_related_user_types: [{ type: 'user' }] },
guest: { directly_related_user_types: [{ type: 'user' }] },
},
},
},
],
}}
/>
We can then verify amy is a member of workspace:sandcastle.
<CheckRequestViewer user={'user:amy'} relation={'member'} object={'workspace:sandcastle'} allowed={true} />
We can check for other users and relationships.
| User | Object | Relation | Query | Relation? |
|---|---|---|---|---|
amy |
workspace:sandcastle |
legacy_admin |
is amy related to workspace:sandcastle as legacy_admin? |
Yes |
david |
workspace:sandcastle |
legacy_admin |
is david related to workspace:sandcastle as legacy_admin? |
No |
amy |
workspace:sandcastle |
guest |
is amy related to workspace:sandcastle as guest? |
No |
david |
workspace:sandcastle |
guest |
is david related to workspace:sandcastle as guest? |
Yes |
amy |
workspace:sandcastle |
member |
is amy related to workspace:sandcastle as member? |
Yes |
david |
workspace:sandcastle |
member |
is david related to workspace:sandcastle as member? |
No |
So far, you have modeled the users' to the workspace itself. In this task you will expand the model to include the relations concerning the channels.
By the end of it, you will run some queries to check whether a user can view or write to a certain channel. Queries such as:
is david related to channel:general as viewer?(expected answer: No relation, as David is a guest user with only a relation to #proj-marketing-campaign)is david related to channel:proj_marketing_campaign as viewer?(expected answer: There is a relation, as there is a relation between David and #proj-marketing-campaign as a writer)is bob related to channel:general as viewer?(expected answer: There is a relation, as Bob is a member of the Sandcastle workspace, and all members of the workspace have a viewer relation to #general)
The requirements are:
- Amy, Bob, Catherine and Emily, are normal members of the Sandcastle workspace, they can view all public channels, in this case: #general and #proj-marketing-campaign
- David, a guest user, has only view and write access to the #proj-marketing-campaign channel
- Bob and Emily are the only ones with either view or write access to the #marketing-internal channel
- Amy and Emily are the only ones with write access to the #general channel
The possible relations to channels are:
- Workspace includes the channel, consider the relation that of a parent workspace
- A user can be a viewer and/or writer on a channel
The authorization model already has a section describing the workspace, what remains is describing the channel. That can be done by adding the following section to the configuration above:
<AuthzModelSnippetViewer
configuration={{
schema_version: '1.1',
type: 'channel', // A channel can have the following relations:
relations: {
parent_workspace: {
// workspaces related to it as parent_workspace
this: {},
},
writer: {
// users related to it as writer
this: {},
},
viewer: {
// users related to it as viewer
this: {},
},
},
metadata: {
relations: {
parent_workspace: { directly_related_user_types: [{ type: 'workspace' }] },
writer: {
directly_related_user_types: [
{ type: 'user' },
{ type: 'workspace', relation: 'legacy_admin' },
{ type: 'workspace', relation: 'channels_admin' },
{ type: 'workspace', relation: 'member' },
{ type: 'workspace', relation: 'guest' },
],
},
viewer: {
directly_related_user_types: [
{ type: 'user' },
{ type: 'workspace', relation: 'legacy_admin' },
{ type: 'workspace', relation: 'channels_admin' },
{ type: 'workspace', relation: 'member' },
{ type: 'workspace', relation: 'guest' },
],
},
},
},
}} skipVersion={true}
/>
:::info
The configuration snippet above describes a channel that can have the following relations:
- workspaces related to it as
parent_workspace - users related to it as
writer - users related to it as
viewer
:::
There is an that anyone who can write to a channel can also read from it, so the authorization model can be modified to be:
<AuthzModelSnippetViewer
configuration={{
schema_version: '1.1',
type: 'channel',
relations: {
parent_workspace: {
this: {},
},
writer: {
this: {},
},
viewer: {
// viewer is the union of the set of users with a direct viewer relation, and the set of users with writer relations
union: {
child: [
{
// a user can be assigned a direct viewer relation, i.e., not implied through another relation
this: {},
},
{
// a user that is a writer is also implicitly a viewer
computedUserset: {
relation: 'writer',
},
},
],
},
},
},
metadata: {
relations: {
parent_workspace: { directly_related_user_types: [{ type: 'workspace' }] },
writer: {
directly_related_user_types: [
{ type: 'user' },
{ type: 'workspace', relation: 'legacy_admin' },
{ type: 'workspace', relation: 'channels_admin' },
{ type: 'workspace', relation: 'member' },
{ type: 'workspace', relation: 'guest' },
],
},
viewer: {
directly_related_user_types: [
{ type: 'user' },
{ type: 'workspace', relation: 'legacy_admin' },
{ type: 'workspace', relation: 'channels_admin' },
{ type: 'workspace', relation: 'member' },
{ type: 'workspace', relation: 'guest' },
],
},
},
},
}} skipVersion={true}
/>
:::info
Note that the channel type definition has been updated to indicate that viewer is the union of:
- the set of users with a viewer relation to this object
- the set of users with writer relations to this object
:::
As a result, the authorization model is:
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'workspace', relations: { legacy_admin: { this: {}, }, channels_admin: { union: { child: [ { this: {}, }, { computedUserset: { relation: 'legacy_admin', }, }, ], }, }, member: { union: { child: [ { this: {}, }, { computedUserset: { relation: 'channels_admin', }, }, { computedUserset: { relation: 'legacy_admin', }, }, ], }, }, guest: { this: {}, }, }, metadata: { relations: { legacy_admin: { directly_related_user_types: [{ type: 'user' }] }, channels_admin: { directly_related_user_types: [{ type: 'user' }] }, member: { directly_related_user_types: [{ type: 'user' }] }, guest: { directly_related_user_types: [{ type: 'user' }] }, }, }, }, { type: 'channel', relations: { parent_workspace: { this: {}, }, writer: { this: {}, }, viewer: { union: { child: [ { this: {}, }, { computedUserset: { relation: 'writer', }, }, ], }, }, }, metadata: { relations: { parent_workspace: { directly_related_user_types: [{ type: 'workspace' }] }, writer: { directly_related_user_types: [ { type: 'user' }, { type: 'workspace', relation: 'legacy_admin' }, { type: 'workspace', relation: 'channels_admin' }, { type: 'workspace', relation: 'member' }, { type: 'workspace', relation: 'guest' }, ], }, viewer: { directly_related_user_types: [ { type: 'user' }, { type: 'workspace', relation: 'legacy_admin' }, { type: 'workspace', relation: 'channels_admin' }, { type: 'workspace', relation: 'member' }, { type: 'workspace', relation: 'guest' }, ], }, }, }, }, ], }} />
What remains is to add the to indicate the relation between the users, workspace and the channels.
The Sandcastle workspace is a parent workspace of the #general, #marketing-internal and #proj-marketing-campaign channels.
<WriteRequestViewer relationshipTuples={[ { user: 'workspace:sandcastle', relation: 'parent_workspace', object: 'channel:general', }, { user: 'workspace:sandcastle', relation: 'parent_workspace', object: 'channel:marketing_internal', }, { user: 'workspace:sandcastle', relation: 'parent_workspace', object: 'channel:proj_marketing_campaign', }, ]} />
The #general channel is a public channel visible to all the members of the workspace. In , you represent this relation in the form of the following relationship tuple:
<WriteRequestViewer
relationshipTuples={[
{
_description:
'The set of users related to workspace:sandcastle as member are also related to channel:general as viewer',
user: 'workspace:sandcastle#member',
relation: 'viewer',
object: 'channel:general',
},
]}
/>
:::info
This indicates The set of users related to workspace:sandcastle as member are also related to channel:general as viewer
:::
And to indicate that Amy and Emily can write to it:
<WriteRequestViewer relationshipTuples={[ { _description: 'Due to the configuration update you added earlier, writer relation is enough to imply a viewer relation', user: 'user:amy', relation: 'writer', object: 'channel:general', }, { user: 'user:emily', relation: 'writer', object: 'channel:general', }, ]} />
The #marketing-internal is visible to only Bob and Emily. They can view and write in it.
<WriteRequestViewer relationshipTuples={[ { user: 'user:bob', relation: 'writer', object: 'channel:marketing_internal', }, { user: 'user:emily', relation: 'writer', object: 'channel:marketing_internal', }, ]} />
The #proj-marketing-campaign is public to all members of the Sandcastle workspace. They can view and write in it.
<WriteRequestViewer relationshipTuples={[ { user: 'workspace:sandcastle#member', relation: 'writer', object: 'channel:proj_marketing_campaign', }, ]} />
David is a guest user who can also view and write to #proj-marketing-campaign
<WriteRequestViewer relationshipTuples={[ { user: 'user:david', relation: 'writer', object: 'channel:proj_marketing_campaign', }, ]} />
Now that you have added the necessary relationship tuples, you will check to make sure that your configuration is valid.
First, we want to ensure david is not related to channel:general as viewer.
<CheckRequestViewer user={'user:david'} relation={'viewer'} object={'channel:general'} allowed={false} />
David should be related to channel:proj_marketing_campaign as viewer.
<CheckRequestViewer user={'user:david'} relation={'viewer'} object={'channel:proj_marketing_campaign'} allowed={true} />
Repeat this for the following relations
| User | Object | Relation | Query | Relation? |
|---|---|---|---|---|
amy |
workspace:sandcastle |
legacy_admin |
is amy related to workspace:sandcastle as legacy_admin? |
Yes |
amy |
workspace:sandcastle |
member |
is amy related to workspace:sandcastle as member? |
Yes |
amy |
workspace:sandcastle |
channels_admin |
is amy related to workspace:sandcastle as channels_admin? |
Yes |
amy |
channel:general |
writer |
is amy related to channel:general as writer? |
Yes |
amy |
channel:general |
viewer |
is amy related to channel:general as viewer? |
Yes |
amy |
channel:marketing_internal |
writer |
is amy related to channel:marketing_internal as writer? |
No |
amy |
channel:marketing_internal |
viewer |
is amy related to channel:marketing_internal as viewer? |
No |
emily |
channel:marketing_internal |
writer |
is emily related to channel:marketing_internal as writer? |
Yes |
emily |
channel:marketing_internal |
viewer |
is emily related to channel:marketing_internal as viewer? |
Yes |
david |
workspace:sandcastle |
guest |
is david related to workspace:sandcastle as guest? |
Yes |
david |
workspace:sandcastle |
member |
is david related to workspace:sandcastle as member? |
No |
david |
channel:general |
viewer |
is david related to channel:general as viewer? |
No |
david |
channel:marketing_internal |
viewer |
is david related to channel:marketing_internal as viewer? |
No |
david |
channel:proj_marketing_campaign |
viewer |
is david related to channel:proj_marketing_campaign as viewer? |
Yes |
- Have a basic understanding of and .
- Understand how to model authorization for a communication platform like Slack using .
In this tutorial, you:
- were introduced to and .
- learned how to build and test an authorization model for a communication platforms like Slack.
Upcoming tutorials will dive deeper into , introducing concepts that will improve on the model you built today, and tackling different permission systems, with other relations and requirements that need to be met.
If you are interested in learning more about Authorization and Role Management at Slack, check out the Okta Fine Grained Authorization (FGA) team's chat with the Slack engineering team.
<iframe style={{ marginTop: 36, borderRadius: 8 }} width="100%" height="500" src={`https://www.youtube-nocookie.com/embed/-iVBsagaK5Y`} frameBorder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowFullScreen />- Try adding more relationship tuples to represent other users and channels being added. Then run queries to make sure that the authorization model remains valid.
- Update the configuration to model more Slack permissions (workspace owners, Slack orgs), then add the relationship tuples necessary and run some queries to validate your configuration.