Condition Help or Best Practice

stephenbawks1 · January 27, 2025, 7:15pm

I am looking for some help on what’s the best way to do this. I think I know but I am curious if I am way off base here or not. I want to have a condition that will check to make sure a team member is part of a certain company or set of possible companies when trying to do something against a client.

I added a condition down below and I am curious if this would be the best way to achieve this or not?

model
  schema 1.1

type team_member

type company
  relations
    define member: [team_member]

type group
  relations
    define member: [team_member, group#member]

type clients
  relations
    define can_modify: owner
    define can_view: viewer
    define owner: [team_member with check_allowed_companies, group#member with check_allowed_companies]
    define viewer: [team_member with check_allowed_companies, group#member with check_allowed_companies] or owner

condition check_allowed_companies(team_member_company: map<string>, allowed_companies: list<string>) {
  team_member_company["company"] in allowed_companies 
}

andres.aguiar · January 27, 2025, 7:28pm

Hi @stephenbawks1 !

Can you expand on what you want to accomplish? Why do you want to filter by company?

There might be a way to do something similar with contextual tuples, using this approach Okta Fine Grained Authorization (FGA) Docs | Okta Fine Grained Authorization (FGA) Docs, e.g you send a list of allowed companies as a contextual tuple.

stephenbawks1 · January 27, 2025, 7:30pm

I think I would like to be able to define the client with a list of allowed companies and when the check is done against a team_member or group, they would need to specify the company that team_member or group is a part of and it would check that against the list of companies or company allowed for that client.

andres.aguiar · January 27, 2025, 7:57pm

Yes, you can create a client<->company relation

type clients
  relations
     define company : [company]
     define viewer: team_member from company

would that work?

stephenbawks1 · January 27, 2025, 8:02pm

Yes that would work. I think in that scenario I would need to define a client/company for each company then if there are multiple companies that may need access to the client.

Was wondering if that would be the best way to do that or define a condition.

Topic		Replies	Views
Client Permissions Okta Fine Grained Authorization	1	31	February 4, 2025
Help with the contextual tupels query Okta Fine Grained Authorization fga	6	493	March 1, 2024
Tuple Explorer - Conditions Okta Fine Grained Authorization fga	12	212	July 11, 2024
Writing Tuple Permissions Okta Fine Grained Authorization fga	9	223	August 21, 2024
Auth0 Fine Grained Authorization Contextual Tuples Limits Help management-api , roles	0	142	July 1, 2024

Condition Help or Best Practice

Related topics