Need help with modelling attribute based permission change

[neeraj-ec]

Hi Team, I need help in modelling a use case where permission condition changes based on the an attribute of the object.
I have two types org and project. Every project relates to an org.
project does have a status attribute which can be draft, published and archived.

My requirement is, if project in draft status, only owner of the project can delete it. If it is in published status, editor from belonging org can also delete it. can_delete condition changes based on status of project.

I'm not able to figure out how to model can_delete to satisfy the use case.

type user
type org
  relations 
    define editor as self
    define member as self
type project
  relations
    define owner as self
    define org as self
    can_delete as owner or editor from org 

[jon-whit]

Since OpenFGA uses relationships to determine authorization outcomes, every state of the authorization decision has to somehow be encoded in a Relationship Tuple that is stored in OpenFGA OR provided as a Contextual Tuple in the request (at request time).

To model this scenario you could model the state of the project status as a relationship and then use that as a conditional guard in the relation definition for project#can_delete. For example,

type user

type org
  relations
    define editor as self
    define member as self

type project
  relations
    define owner as self
    define org as self
    define project_draft as self
    define project_published as self
    define can_delete_draft as project_draft and owner
    define can_delete_published as project_published and editor from org
    define can_delete as can_delete_draft or can_delete_published

In your store you may have tuples such as

object	relation	user
project:1	owner	user:neeraj-ec
project:1	org	org:example
org:example	editor	user:neeraj-ec

In your application you'll know at the time of a request if the project is in 'draft' or 'published' state.

If it is in a 'draft' state then in your request you can do

Check({
    "object": "project:1",
    "relation": "can_delete",
    "user": "user:neeraj-ec",
    "contextual_tuples": {
        "tuple_keys": [
            {"object": "project:1", "relation": "project_draft", "user": "project:1"} // 'project:1' is in draft state
        ]
    }

If it is in a 'published' state then in your request you can do

Check({
    "object": "project:1",
    "relation": "can_delete",
    "user": "user:neeraj-ec",
    "contextual_tuples": {
        "tuple_keys": [
            {"object": "project:1", "relation": "project_published", "user": "project:1"} // 'project:1' is in published state
        ]
    }

The advantage of this approach is you don't have to update the tuples in OpenFGA every time a project's status is updated. Instead, pass that attribute status at the time the request is made.

WDYT?

[neeraj-ec]

Thanks @jon-whit This should work in my case. The only drawback I can see is: In my API endpoint, before asking for permission I need to hit the db to figure out current project is in draft state or published state. But I think that's the trade off I need to consider, whether I should avoid db call ands store status in OpenFGA or I should use context tuples.

[jon-whit]

@neeraj-ec yeah, that's the challenge with any attribute-based access control decision. If you require an attribute/metadata to evaluate an access control decision, then you must have that information available (either ahead of time or by fetching it at request time).

Let us know if we can help further with your modeling scenario 👍