-
Notifications
You must be signed in to change notification settings - Fork 12
/
store.fga.yaml
174 lines (146 loc) · 4.91 KB
/
store.fga.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
model: |
model
schema 1.1
# user = users from the customer's organization
type user
# employee = employees of the SaaS vendor
type employee
# application = internal applications that need to perform maintenance tasks
type application
# top level type where we define system administrators, note that we are only defining
# superadmins but there could be other roles that would have restricted permissions
type system
relations
define admin : [employee, application]
# organization represent the SaaS customer
type organization
relations
define system : [system]
# system admins have the same permissions in the organization as
# customer admins
define admin : [user] or admin from system
define member : [user]
# we could define helpdesk members at the system level too without
# a time expiration, but time bounding access help desk access
# for a specific customer is a better security practice
define helpdesk_member : [employee with non_expired_time_grant]
define can_create_project : admin or member
type project
relations
define organization : [organization]
define owner : [user]
# admins from the organization have editor permission in all projects
define editor : [user] or owner or admin from organization
define viewer : [user] or editor or helpdesk_member from organization
type task
relations
define project: [project]
define owner : [user]
# tasks inherit the system admins + helpdesk member permissions from the project
define editor : [user] or editor from project
define viewer : [user] or editor or viewer from project
condition non_expired_time_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
current_time < grant_time + grant_duration
}
tuples:
# we define a user and an application as 'super admins'
- user: employee:anne
relation : admin
object: system:global
- user: application:system-management-app
relation : admin
object: system:global
# this tuple connects the global 'system' with each organization, and needs to be created
# for all organizations
- user: system:global
relation: system
object: organization:acme
# we grant access to a help desk user for 1 hour
- user: employee:john
relation: helpdesk_member
object: organization:acme
condition:
name: non_expired_time_grant
context:
grant_time : "2024-01-01T00:00:00Z"
grant_duration : 1h
# peter is the organization's admin
- user: user:peter
relation: admin
object: organization:acme
# we add the tuples for the project and for a task in the project
- user: organization:acme
relation: organization
object: project:openfga
- user: project:openfga
relation: project
object: task:create-example
tests:
- name: Test specific permissions for different users
check:
# anne is a super admin, has full access
- user: employee:anne
object: task:create-example
assertions:
viewer: true
editor: true
# peter is an admin in the organization, has full access
- user: user:peter
object: task:create-example
assertions:
viewer: true
editor: true
# the system application has full access
- user: application:system-management-app
object: task:create-example
assertions:
viewer: true
editor: true
# john only has temporary access as viewer
- user: employee:john
object: task:create-example
context:
current_time: "2024-01-01T00:10:00Z"
assertions:
viewer: true
editor: false
- name: Test the tasks that each user can view
list_objects:
- user: employee:john
type: task
context:
current_time: "2024-01-01T00:10:00Z"
assertions:
viewer:
- task:create-example
- user: user:peter
type: task
assertions:
viewer:
- task:create-example
- user: employee:anne
type: task
assertions:
viewer:
- task:create-example
- name: Test the users/employees can can view task:create-example
list_users:
- object: task:create-example
context:
current_time: "2024-01-01T00:10:00Z"
user_filter:
- type: user
assertions:
viewer:
users:
- user:peter
- object: task:create-example
context:
current_time: "2024-01-01T00:10:00Z"
user_filter:
- type: employee
assertions:
viewer:
users:
- employee:anne
- employee:john