diff options
| author | mo khan <mo@mokhan.ca> | 2025-03-17 14:45:41 -0600 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2025-03-17 14:45:41 -0600 |
| commit | 94d084a51172b7e3851779e9e052435084d4abfe (patch) | |
| tree | 2af690135fe184c34dedec7f34447fb12092ed40 /doc/share/authz/DESIGN.md | |
| parent | f9168083b787118af5577015a3c7f9efa63c8e80 (diff) | |
docs: add notes on ABAC and weakness of RBAC
Diffstat (limited to 'doc/share/authz/DESIGN.md')
| -rw-r--r-- | doc/share/authz/DESIGN.md | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/doc/share/authz/DESIGN.md b/doc/share/authz/DESIGN.md new file mode 100644 index 0000000..8bf5347 --- /dev/null +++ b/doc/share/authz/DESIGN.md @@ -0,0 +1,61 @@ +# Design + +## Current + +## Proposed + +### Option 1 + +| permission | scope | description | +| ---------- | ----- | ----------- | +| `read` | `gid://app/Organization/1` | Can read Org 1 resource | +| `read` | `gid://app/Organization/1/*` | Can read every resource below Org 1 hierarchy | +| `read` | `gid://app/Organization/1/Group/1` | Can read Group 1 resource | +| `read` | `gid://app/Organization/1/Group/1/*` | Can read every resource below Group 1 hierarchy | +| `read` | `gid://app/Organization/1/Group/1/Project/1` | Can read project 1 | +| `read` | `gid://app/Project/1` | Can read project 1 resource (short circuit example) | +| `read` | `gid://app/Organization/1/Group/1?attributes[]=name&attributes[]=description` | Can read name and description of Group 1 resource | + +Example: + +The following example allows the subject of the token to read all of the descendant resources of `Project 1` and `Project 2` and it can read `Project 3`. + +```json +{ + "sub": "gid://User/17", + "scope": { + "read": [ + "gid://app/Organization/1/Group/1/Project/1/*", + "gid://app/Organization/1/Group/1/Project/2/*", + "gid://app/Organization/1/Group/2/Project/3" + ] + } +} +``` + +### Option 2 + +Encode access and scope directly into the name of the permission. + +| permission | description | +| ---------- | ----------- | +| `read:organization:1` | Can read Org 1 resource | +| `read:organization:1:*` | Can read every resource below Org 1 hierarchy | +| `read:organization:1:group:*` | Can read Group 1 resource | +| `read:organization:1:group:1:*` | Can read every resource below Group 1 hierarchy | +| `read:organization:1:group:1:project:1` | Can read project 1 | +| `read:project:1` | Can read project 1 resource (short circuit example) | +| `read:organization:1:group:1:attributes[]=name&attributes[]=description` | Can read name and description of Group 1 resource | + +Example: + +```json +{ + "sub": "gid://User/17", + "scope": [ + "read:organization:1:group:1:project:1:*", + "read:organization:1:group:1:project:2:*", + "read:organization:1:group:2:project:3" + ] +} +``` |