Hey @dlehammer! Welcome to the community!
Is the below a good summary of your question?
- You have a certain resource (let’s say Project X)
- Project X can have multiple attributes on it. Let’s say “name” is visible and “estimated_cost” is confidential
- Alice, an admin on Project X should be able to access both the “name” and “estimated_cost” attributes
- Bob, a support engineer on Project X should only be able to access the “name” attribute.
If that is the case, one way to model it using Auth0 FGA could be:
# You have projects
type project
relations
# projects can have admins
define admin as self
# projects can have support engineers
define support_engineer as self
# only admins can edit projects
define editor as admin
# admins and support engineers can view projects
define viewer as support_engineer or admin
# You have attribute visibility (e.g. normal/confidential)
type attribute_visibility
relations
# attribute visibilities belong to a project
define project as self
# attribute visibilities have editors
define editor as self
# attribute visibilities have viewers
define viewer as self or editor
# You have attributes
type attribute
relations
# attributes have a visibility
define visibility as self
# attributes have a project
define project as self
# attributes have an editor
define editor as editor from project and editor from visibility
# attributes have a viewer
define viewer as viewer from project and viewer from visibility
define can_edit as editor
define can_view as viewer
[
// Project X has two attribute visibilities, normal and confidential
{
"user": "project:X",
"relation": "project",
"object": "attribute_visibility:normal"
},
{
"user": "project:X",
"relation": "project",
"object": "attribute_visibility:confidential"
},
// Project X admins can edit and view confidential attributes
{
"user": "project:X#admin",
"relation": "editor",
"object": "attribute_visibility:confidential"
},
// Project X admins can edit and view normal attributes
{
"user": "project:X#admin",
"relation": "editor",
"object": "attribute_visibility:normal"
},
// Project X support engineers can view normal attributes
{
"user": "project:X#support_engineer",
"relation": "viewer",
"object": "attribute_visibility:normal"
},
// Alice is an admin on Project X
{
"user": "alice",
"relation": "admin",
"object": "project:X"
},
// Bob is a support engineer on Project X
{
"user": "bob",
"relation": "support_engineer",
"object": "project:X"
},
// Project X has a name attribute
{
"user": "project:X",
"relation": "project",
"object": "attribute:project-x-name"
},
// Project X has an estimated budget attribute
{
"user": "project:X",
"relation": "project",
"object": "attribute:project-x-estimated-budget"
},
// estimated budget's visibility is confidential
{
"user": "attribute_visibility:confidential",
"relation": "visibility",
"object": "attribute:project-x-estimated-budget"
},
// name's visibility is normal
{
"user": "attribute_visibility:normal",
"relation": "visibility",
"object": "attribute:project-x-name"
},
]
We can check that:
User | Action | Resource | Allowed? |
---|---|---|---|
Alice | View | Project X’s name | Yes |
Alice | View | Project X’s estimated budget | Yes |
Bob | View | Project X’s name | Yes |
Bob | View | Project X’s estimated budget | No |
You can see an interactive version of the model described above on the Auth0 FGA Playground: Auth0 Fine Grained Authorization
Let us know if this helps!
Take a look at the Auth0 FGA documentation: https://docs.fga.dev
Join the Auth0 Lab Discord community: The Auth0 Lab