Designing permission model to accommodate saas based offering for multiple organizations

[Anurag--Singh]

Hello All,

I am considering using keto as the foundation for our authorization system and have already evaluated and
created a roadmap to include kratos and oathkeeper in our system. I have started migrating data for the same
and will plan accordingly to move to production once tested enough.

One of the design problems we are facing is that different organizations have almost the same user types
based on characteristics such as member-only or non-member.
Users are unique to these organizations and have different roles within an organization.
Users can have access to resources or files based on certain conditions such as paid, public,
or allowed to a set of groups only.

Solution:

organizations:org-A#member@(user-types:member-only#accesses)
organizations:org-A#member@(user-types:non-member#accesses)
organizations:org-A#member@(user-types:staff#accesses)

user-types:member-only#accesses@user-A-org-A-member-only
user-types:non-member#accesses@user-B-org-A-non-member
user-types:staff#accesses@user-C-org-A-member-staff

resources:file-paid#access-view@(target-groups:file-paid-target#member)
target-groups:file-paid-target#member@user-A-org-A-member-only

organizations:org-B#member@(user-types:member-only#accesses)
user-types:member-only#accesses@user-D-org-B-member-only

keto check

Is user-A-org-A-member-only has relation to resources:file-paid
Allowed

Is user-A-org-A-member-only is a member of organizations:org-A#member
Allowed

Is user-D-org-B-member-only is a member of organizations:org-A#member
Allowed

We have two questions. Firstly How to design user-D-org-B-member-only is NOT a member of organizations:org-A#member

This is where keto check should deny as per our use case. So I thought changing user-types:member-only
to user-types:member-only-id where each user type object is replaced with unique id for all organizations.

I will put a mapping of organization, user type(member-only), unique id(eg. ec788a82-a12e-45a4-b906-3e69f78c94e4 for object relation like below in keto) user-types:ec788a82-a12e-45a4-b906-3e69f78c94e4#accesses in other relational database.

Same, design will follow for target-groups:file-paid-target as target-groups:file-paid-target-unique-id.

Secondly I am exploring better ways to establish a relationship between resources:file-paid-unique-id and the organization organizations:org-A.

I am currently considering creating another group and associating it with the organization by adding resources:file-paid-unique-id to that group. On the web front, I am listing all the resources from the relational database of an organization with pagination support. However, I want to keep keto as the only source of truth, and I am unsure if our current approach is the best one.

[CaseyLemieux]

Hey Anurag,

Did you ever make any headway on this? We are looking at implementing something similar with Keto and have been trying to find any examples etc.

[Anurag--Singh]

Hello Casey,

No I wasn't. I think it's not best suited for hierarchical inheritance or relationship as complex scenario based above. For others not as complex as above HRBAC it will work. It's more of a permission check.

keto, think of dynamically updating the permission in keto. It can be an overhead during data migration or frequent updates in case where file, media etc. resources are given access and removed. It can be manually or time based too.

I wasn't able to find the examples, but to some extent other similar frameworks had more examples.

I will re-explore if anything new added since my last post.

If you think or find any better alternatives or solution, do drop me a message.

Thank you