| sidebar_position | slug | description |
|---|---|---|
3 |
/modeling/public-access |
Granting public access to an object |
import { AuthzModelSnippetViewer, CardBox, CheckRequestViewer, DocumentationNotice, Playground, ProductConcept, ProductName, ProductNameFormat, RelatedSection, RelationshipTuplesViewer, WriteRequestViewer, } from '@components/Docs';
In this guide you will learn how to grant public access to an , such as a certain document, using .
Public access allows your application to grant every user in the system access to an object. You would add a relationship tuple with type-bound public access when:
- sharing a
documentpublicly to indicate that everyone canviewit - a public
pollis created to indicate that anyone canvoteon it - a blog
postis published and anyone should be able toreadit - a
videois made public for anyone towatch
In order to understand this guide correctly you must be familiar with some and know how to develop the things that we will list below.
Assume that you have the following .
You have a called document that can have a view relation.
You have a called
document that can have a view relation.<AuthzModelSnippetViewer configuration={{ schema_version: '1.1', type_definitions: [ { type: 'user', }, { type: 'document', relations: { view: { this: {}, }, }, metadata: { relations: { view: { directly_related_user_types: [{ type: 'user' }, {type: 'user', wildcard:{} }] }, }, }, }, ], }} />
In addition, you will need to know the following:
You need to know how to create an authorization model and create a relationship tuple to grant a user access to an object. Learn more →
- A : a class of objects that have similar characteristics
- A : an entity in the system that can be related to an object
- A : is a string defined in the type definition of an authorization model that defines the possibility of a relationship between an object of the same type as the type definition and a user in the system
- An : represents an entity in the system. Users' relationships to it can be define through relationship tuples and the authorization model
- A : a grouping consisting of a user, a relation and an object stored in
- A : is a special concept (represented by
<type>:*) can be used in relationship tuples to represent every object of that type
:::caution Make sure to use unique ids for each object and user within your application domain when creating relationship tuples for . We are using first names and simple ids to just illustrate an easy-to-follow example. :::
In previous guides, we have shown how to indicate that objects are related to users or objects. In some cases, you might want to indicate that everyone is related to an object (for example when sharing a document publicly).
To do this we need to create a relationship tuple using the . The type bound public access syntax is used to indicate that all users of a particular type have a relation to a specific object.
Let us create a relationship tuple that states: any user can view document:company-psa.doc
<WriteRequestViewer relationshipTuples={[ { _description: 'user:* denotes every object of type user', user: 'user:*', relation: 'view', object: 'document:company-psa.doc', }, ]} />
:::caution Wildcard syntax usage
Please note that type-bound public access is not a wildcard or a regex expression.
You cannot use the <type>:* syntax in the tuple's object field.
The following syntax is invalid:
<RelationshipTuplesViewer relationshipTuples={[ { _description: 'It is invalid to use this syntax in the object field. The below relationship tuple is invalid and does not mean that Bob can view all documents.', user: 'user:bob', relation: 'view', object: 'document:*', }, ]} />
:::
:::caution Wildcard syntax usage
You cannot use <type>:* as part of a userset in the tuple's user field.
The following syntax is invalid:
<RelationshipTuplesViewer relationshipTuples={[ { _description: 'It is invalid to use this syntax as part of a userset. The below relationship tuple is invalid and does not mean that members of any org can view the company-psa document.', user: 'org:*#member', relation: 'view', object: 'document:company-psa.doc', }, ]} />
:::
Once the above relationship tuple is added, we can if bob cab view document:company-psa.doc. will return { "allowed": true } even though no relationship tuple linking bob to the document was added. That is because the relationship tuple with user:* as the user made it so every object of type user (such as user:bob) can view the document, making it public.
<CheckRequestViewer user={'user:bob'} relation={'view'} object={'document:company-psa.doc'} allowed={true} />
<RelatedSection description="Check the following sections for more on how to model with {ProductName}." relatedLinks={[ { title: 'Modeling: Getting Started', description: 'Learn about how to get started with modeling.', link: './getting-started', id: './getting-started', }, { title: 'Modeling Language', description: 'Learn about {ProductName} Modeling Language.', link: '../modeling-language', id: '../modeling-language', }, { title: 'Modeling Blocklists', description: 'Learn about model block lists.', link: './blocklists', id: './blocklists', }, ]} />