How to properly model for custom role and custom permission

[sreeram-n]

All need validation on the approach to define the model for the following use case :

We have users. users belong to groups. There are custom roles and it contains a set of custom permissions. Users can belong to multiple groups and each of those groups can have have different roles on resources.

model
schema 1.2

type resource # module: app_msm, file: app/msm/base.fga
relations
define has_access: assignee from role
define role: [role]

type group # module: core, file: core.fga
relations
define member: [user]

type permission # module: core, file: core.fga
relations
define association: [role]
define has_permission: assignee from association

type role # module: core, file: core.fga
relations
define assignee: [group#member]

type tenant # module: core, file: core.fga
relations
define member: [user]

type user # module: core, file: core.fga

tuples:

• user: role:resource_reader
  relation: role
  object: resource:resource1
• user: user:user1
  relation: member
  object: group:group1
• user: user:user1
  relation: member
  object: tenant:tenant1
• user: user:user2
  relation: member
  object: group:group2
• user: role:resource_manager
  relation: role
  object: resource:resource1
• user: group:group1#member
  relation: assignee
  object: role:resource_manager
• user: user:user2
  relation: member
  object: tenant:tenant1
• user: group:group2#member
  relation: assignee
  object: role:resource_reader
• user: role:resource_manager
  relation: association
  object: permission:resource_read
• user: role:resource_manager
  relation: association
  object: permission:resource_write
• user: role:resource_reader
  relation: association
  object: permission:resource_read
• user: role:resource_manager
  relation: role
  object: resource:resource2
• object: role:resource_manager
  user: group:group2#member
  relation: assignee

currently these questions are what is possible with the model -
query-check : user:user1 has_access resource:resource1
query-check: user:user1 has_permission permission:resource_read

The above are disconnected, how can they be combined so that this type of question can be asked -
user:user1 have permission:resource_read on resource:resource1

• Need clarity on how to combine both user access and permission check in asserting the relationship

Thanks
Ram.

[aaguiarz]

Hi @sreeram-n

It seems you are trying to model resources/permissions in a generic way, instead of using the OpenFGA types/relations to do that.

We don't recommend you to do that.

In general, resources and permissions are coupled with an application (e.g. you can't add a new resource type and permission type unless you change your application to take those into account). Whenever you add a resource type or permission in the application, you can add it in the FGA model.

[sreeram-n]

Thanks @aaguiarz