OpenFGA
Replies: 1 comment 2 replies
-
|
Hi @keitherw can you please provide a .fga.yaml file like this one with model + tuples + tests? Thanks a lot! |
Beta Was this translation helpful? Give feedback.
-
|
I think I actually fixed it. Within my Type ITEM GROUP I created a relation called "all_valid": valid_relation1 and valid_relation2 and valid_relation3. I updated the ITEM to have can_access: all_valid from assigned |
Beta Was this translation helpful? Give feedback.
-
|
Yes, that has addressed my issue. Instead of having the 'ands' within the Type ITEM can_access, creating the all_valid relation with the Type ITEM GROUP with the 'ands' seemed to handle the scenario that I am testing. |
Beta Was this translation helpful? Give feedback.
-
Hi,
I apologize for the long winded query :) I have a scenario to which I believe the model validation should be returning false but it is returning true. I suspect it is how I created the model. For all other scenarios, the model is working as expected. Not sure if this is a model configuration issue or a bug in the validation.
I have two types.
type ITEM GROUP
relation1: [user] with condition 1
relation2: [user] with condition 2
relation3: [user] with condition 3
valid_relation1: relation1
valid_relation2: relation2
valid_relation3: relation3
type ITEM
assigned: [ITEM GROUP]
can_access: (valid_relation1 from assigned and valid_relation2 from assigned and valid_relation3 from assigned)
A user can create one ITEM GROUP object that has three condition values and another ITEM GROUP object that has three different condition values. An ITEM object is 'assigned' to both ITEM GROUP objects. The intention is that the ITEM object is validated via can_access for a particular user. The expectation is that each condition for a particular ITEM GROUP must be valid. This does work fine except for when I have an ITEM that belongs to both ITEM GROUPS.
I create a tuple for ITEM GROUP called 'GROUP A' that has three values for the conditions that will be checked
I create a tuple for ITEM GROUP called 'BROUP B' that has three different values for the conditions that will be checked
I create a tuple for 'ITEM A' assigned to 'GROUP A'
I create a tuple for 'ITEM B' assigned to 'GROUP A'
I create a tuple for 'ITEM C' assigned to 'GROUP A'
I create a tuple for 'ITEM C' assigned to 'GROUP B'
I create a tuple for 'ITEM D' assigned to 'GROUP B'
I create a tuple for 'ITEM E' assigned to 'GROUP B'
As can be seen, I have a ITEM C belongs to both GROUP A and GROUP B.
When I do a validation for a user 'can_access' on ITEM C and I provide condition values such that only one of the conditions of GROUP A are valid and only one of the conditions of GROUP B are valid (not the same condition), it validates as true.
I would expect the validation to be false; (example)
Examine user values condition 1, condition 2 and condition 3 for GROUP A, if not all of the conditions are valid return false,
if not all of the conditions for GROUP B are valid return false.
It instead returns true. It seems to be doing a validation something like;
If condition 1 GROUP A or B is valid and condition 2 GROUP A or B is valid or condition 3 GROUPA or B is valid then return true
Beta Was this translation helpful? Give feedback.
All reactions