Graph of relations
The relationships of the access control list used by Ory Permissions can be represented as a graph of relations.
Definition
The graph consists of three types of nodes:
- Object nodes that represent application objects.
- Intermediary subject set nodes.
- Subject ID nodes that represent individuals.
Edges are directed and represent the relation between an object and subject.
Example
The following example translates a view relationships into a graph of relations.
This example omits the namespace from all data to improve readability. In practice, the namespace always has to be considered.
// user1 has access on dir1
dir1#access@user1
// This is an empty relation.
dir1#child@(file1#)
// Everyone with access to dir1 has access to file1.
file1#access@(dir1#access)
// Direct access on file2 was granted.
file2#access@user1
// user2 is owner of file2
file2#owner@user2
// Owners of file2 have access to it; possibly defined through subject set rewrites.
file2#access@(file2#owner)
This is represented by the following graph:
Solid edges represent explicitly defined relations, while dotted edges represent relations inherited through a subject set.
Ory Permissions utilizes the following key properties of the graph of relations:
-
Edges directed from objects to subjects
This implies a neat arrangement with objects in one region, subject IDs in another one, and subject sets in between. Edges will always go from the object region towards the subject region.
-
Searching for a possible path is local
Trying to find a path from an object to a subject will always happen locally. This means that it's only necessary to traverse the nodes that are successors of the object. In typical setups, this means that only a small fraction of the graph has to be searched, regardless of the outcome. The intuition here is that the relations of user1's files are irrelevant when checking access to user2's files.