| sidebar_position | slug | description |
|---|---|---|
2 |
/modeling/building-blocks/usersets |
Modeling with userset |
import { AuthzModelSnippetViewer, CheckRequestViewer, DocumentationNotice, ProductConcept, ProductName, ProductNameFormat, RelatedSection, RelationshipTuplesViewer, } from '@components/Docs';
A userset represents a set or collection of .
Usersets can be used to indicate that a group of users in the system have a certain with an . This can be used to assign permissions to groups of users rather than specific ones, allowing us to represent the permissions in our system using less tuples and granting us flexibility in granting or denying access in bulk.
In , usersets are represented via this notation: object#relation, where is made up of a and an object identifier. For example:
company:xyz#employeerepresents all users that are related tocompany:xyzasemployeetweet:12345#viewerrepresents all users that are related totweet:12345asviewer
Imagine the following authorization model:
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'org', relations: { member: { this: {}, }, }, metadata: { relations: { member: { directly_related_user_types: [{ type: 'user' }] }, }, }, }, { type: 'document', relations: { reader: { this: {}, }, }, metadata: { relations: { reader: { directly_related_user_types: [{ type: 'user' }, { type: 'org', relation: 'member' }] }, }, }, }, ], }} />
Now let us assume that the store has the following tuples:
<RelationshipTuplesViewer relationshipTuples={[ { _description: 'Userset "Members of the xyz org" can read the budget document', user: 'org:xyz#member', relation: 'reader', object: 'document:budget', }, { _description: 'Anne is part of the userset "Members of the xyz org"', user: 'user:anne', relation: 'member', object: 'org:xyz', }, ]} />
If we call the to see if user anne has a reader relationship with document:budget, will check whether anne is part of the userset that does have a reader relationship. Because she is part of that userset, the request will return true:
<CheckRequestViewer user={'user:anne'} relation={'reader'} object={'document:budget'} allowed={true} />
Imagine the following authorization model:
<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'document', relations: { writer: { this: {}, }, reader: { union: { child: [ { this: {}, }, { // a user who is related as an writer is also implicitly related as a reader computedUserset: { relation: 'writer', }, }, ], }, }, }, metadata: { relations: { reader: { directly_related_user_types: [{ type: 'user' }, { type: 'org', relation: 'member' }] }, writer: { directly_related_user_types: [{ type: 'user' }, { type: 'org', relation: 'member' }] }, }, }, }, ], }} />
If we wanted to see which users and usersets have a reader relationship with document:budget, we can call the Expand API. The response will contain a userset tree where the leaf nodes are specific user IDs and usersets. For example:
{
"tree": {
"root": {
"type": "document:budget#reader",
"union": {
"nodes": [
{
"type": "document:budget#reader",
"leaf": {
"users": {
"users": ["user:bob"]
}
}
},
{
"type": "document:budget#reader",
"leaf": {
"computed": {
"userset": "document:budget#writer"
}
}
}
]
}
}
}
}As you can see from the response above, with usersets we can express unions of user groups. We can also express intersections and exclusions.
Using the type definitions in the authorization model, some of the situations we can represent are:
- that a user is not in a set of users having a certain relation to an object, even if a relationship tuple exists in the system. See Disabling Direct Relationships
- that a user has a certain relationship with an object if they are in the union, intersection or exclusion of usersets.
- that a user being in a set of users having a certain relation to an object can result in them having another relation to the object. See Concentric Relationships
- that the user being in a set of users having a certain relation to an object and that object is in a set of users having a certain relation to another object, can imply that the original user has a certain relationship to the final object. See Object-to-Object Relationships
When executing the Check API of the form check(user, relation, object), will perform the following steps:
- In the authorization model, look up
typeand itsrelation. Start building a tree where the root node will be the definition of thatrelation, which can be a union, exclusion, or intersection of usersets, or it can be direct users. - Expand all the usersets involved into new nodes in the tree. This means recursively finding all the users that are members of the usersets. If there are direct relationships with users, create leaf nodes.
- Check whether
useris a leaf node in the tree. If the API finds one match, it will return immediately and will not expand the remaining nodes.
<RelatedSection description="See the following sections for more information:" relatedLinks={[ { title: 'Managing Group Membership', description: 'How to add users to a userset', link: '../../interacting/managing-group-membership', id: '../../interacting/managing-group-membership.mdx', }, { title: 'Managing Group Access', description: 'How to add permissions to a userset', link: '../../interacting/managing-group-access', id: '../../interacting/managing-group-access.mdx', }, ]} />