[Use-Case Question] How to implement negate condition ?

[stondini]

Hello,

I'm working with a system where a user is granted to groups of objects following 2 principles:

1. The user is allowed to access some groups (inclusion).
2. The user is not allowed to access some groups so, he/she has access to all other groups (exclusion).

As example, let's say the user bob is granted to groups A and B (among thousands of groups).
So, bobis supposed to see all objecta that are link to groups A and B. No issue with that.

But, the user alice must not have access to groups B and C. That means she has access to all other groups.

I've tried to define the model like

model
  schema 1.1

type user

type group
  relations
    define allowed: [user]
    define denied: [user]
    define is_granted: allowed but not denied

where:

• user:bob is allowed to group:A
• user:bob is allowed to group:B
• user:alice is denied to group:B
• user:alice is denied to group:C
  Also, as the allowed and denied relations are mutually exclusive, a user can't have both set. Either a group is allowed or denied.

Some expected results are:

• is user:bob related to group:A as is_granted? -> YES
• is user:bob related to group:B as is_granted? -> YES
• is user:bob related to group:C as is_granted? -> NO
• is user:bob related to group:Z as is_granted? -> NO
• is user:alice related to group:A as is_granted? -> YES (because group A is not explicitly denied)
• is user:alice related to group:B as is_granted? -> NO (because group B is explicitly denied)
• is user:alice related to group:C as is_granted? -> NO (because group C is explicitly denied)
• is user:alice related to group:Z as is_granted? -> YES (because group Z is not explicitly denied)

But the is_granted relation is not exactly the one I need because the exclusion operator but not is not correct.
I need something like define is_granted: allowed or not denied that

Do you think there is another way to implement such case ?

Many thanks,
Stephane

[miparnisari]

Hi @stondini! I uploaded your scenario here: https://play.fga.dev/stores/create/?id=01HKRVGDZ886SJ58J9XR9547Z4

Also, a the allowed and denied relations are mutually exclusive. I user can have both set. Either groups are allowed or denied.

If i understood correctly, you want to forbid writing two tuples for one user, with different relations and objects? E.g.:

group:X#allowed@user:maria and
group:Y#denied@user:maria

If that is the case, I don't think this is possible... @rhamzeh what do you think? You know more about modelling than me :)

[stondini]

Hi @miparnisari
Thank you for your comment.

Let me clarify what I'd like to achieve.
I have no issue to insert relation in a mutual exclusion way. I know if a user is allowed or denied to access a group.
If a user is either allowed or denied to access groups.
The user X can access groups A and B.
The user Y can't access groups A and B.
The case where the user X can access A but can't access B is not possible as the piece of code that inserts the relations takes care of that.
I don't need a constraint validation while the relations are inserted.

That said, my concern is about the expression to write to query the authorization system.

Case of an allowed group:
Given the following relation: group:X#allowed@user:maria (only this relation is inserted)
I'd like the following authorizations:

• Is user:maria related to group:X as allowed -> YES (because group X is allowed)
• Is user:maria related to group:Y as allowed -> NO (because group Y is not allowed)

Case of denied group:
Given the following relation: group:Y#denied@user:maria (only this relation is inserted)
I'd like the following authorizations:

• Is user:maria related to group:X as allowed -> YES (because group X is not denied)
• Is user:maria related to group:Y as allowed -> NO (because group Y is denied)

As you can see, in both cases, the expression checks if the user is allowed.

As pictures speak a thousand words, please find below a graphical representations of the model.

Allowed case:

The outer circle represents all the possible groups.
So, maria is only allowed to access the group X. All other groups are denied.

Denied case:

The outer circle represents all the possible groups.
So, maria is denied to access the group Y. All other groups are allowed.

Hope it clarified the whole stuff :)

Thank you.
Stephane