You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I have been using openFGA for a while to model some moderately complex requirements, but I feel I am stuck now at modeling something that's basic in g-drive
### Access control on a sub-chain
Assume a hierarchy like below, and the access provided at each level
Folder1 - User is Owner
Folder2 - User can_write as owner from parent
Folder3 - in g-drive, we can remove inherited access (owner here), and give some other access, say we now make user a "viewer"
Folder4 - as per g-drive logic, no can_write access to user at this point, but in OpenFGA user will have can_write access
Folder5 - User granted Ownership of Folder 5
Folder 6 - User has can_write of Folder 6
And we can repeat this as many times as possible, creating sub-chains that behave differently (Folder-1 & 2 user has WRITE access, then folder 3 and 4 user has VIEW access, and then again WRITE access)
Is there a way to model this in OpenFGA?
Also, is there any way in OpenFGA to implement 'least privilege model' - on a resource, if as a member of User Group 1 user has WRITE access, and as member of User Group 2 same user has VIEW access, then we want to only allow VIEW access to user.
This discussion was converted from issue #208 on September 18, 2023 17:44.
Heading
Bold
Italic
Quote
Code
Link
Numbered list
Unordered list
Task list
Attach files
Mention
Reference
Menu
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
OpenFGA
-
I have been using openFGA for a while to model some moderately complex requirements, but I feel I am stuck now at modeling something that's basic in g-drive
### Access control on a sub-chain
Assume a hierarchy like below, and the access provided at each level
And we can repeat this as many times as possible, creating sub-chains that behave differently (Folder-1 & 2 user has WRITE access, then folder 3 and 4 user has VIEW access, and then again WRITE access)
Is there a way to model this in OpenFGA?
Also, is there any way in OpenFGA to implement 'least privilege model' - on a resource, if as a member of User Group 1 user has WRITE access, and as member of User Group 2 same user has VIEW access, then we want to only allow VIEW access to user.
Many thanks for reading the problem statement.
Beta Was this translation helpful? Give feedback.
All reactions