Skip to content

Commit

Permalink
Added super admin example (#18)
Browse files Browse the repository at this point in the history 
* feat: added superadmin example

* Update stores/superadmin/store.fga.yaml

* chore: mentioned best practices for super admins

* chore(ci): run ci against superadmin-example

---------

Co-authored-by: Raghd Hamzeh <[email protected]>
  • Loading branch information
@aaguiarz @rhamzeh
aaguiarz and rhamzeh authored Jan 22, 2024
1 parent 461edd5 commit 23cf1ed
Show file tree
Hide file tree
Showing 4 changed files with 160 additions and 1 deletion.
2 changes: 1 addition & 1 deletion .github/workflows/main.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ jobs:

strategy:
matrix:
store-name: [advanced-entitlements, banking, groups-resource-attributes, ip-based-access, temporal-access, github, gdrive, expenses, iot, slack, entitlements, custom-roles]
store-name: [advanced-entitlements, banking, groups-resource-attributes, ip-based-access, temporal-access, github, gdrive, expenses, iot, slack, entitlements, custom-roles, superadmin]

steps:
- name: Checkout
Expand Down
Empty file added stores/github/tuples.yaml
View file
Empty file.
26 changes: 26 additions & 0 deletions stores/superadmin/README.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
# OpenFGA Super Admin Example

## Use-Case

In B2B SaaS applications, each customer usually has one or more admin users that have full permission over the account.

It's also common that employees of the SaaS company can perform specific actions across different accounts, for configuration or help desk purposes.

Let's assume we want to build a simple multi-tenant SaaS Project management system, with the following roles:

- **System Administrator**: Can perform any action in the system.
- **Help-Desk User**: Can be granted permissions to view any resource for a specific customer, for 1 hour. Note that from a security best practices perspective, it would be optimal to only have temporal access for all super-admin users too.
- **Customer Administrator**: Can perform any action for any resource linked to a specific customer.
- **System Management Service App**: A service application that can perform any action in the system.

The application will have two kinds of resources:
- **Project**
- **Tasks**

See the model, tuples and tests in the [store.yaml](./store.fga.yaml) file.

## Try It Out

1. Make sure you have the [FGA CLI](https://github.com/openfga/cli/?tab=readme-ov-file#installation)

2. In the `slack` directory, run `fga model test --tests store.yaml`
133 changes: 133 additions & 0 deletions stores/superadmin/store.fga.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
model: |
model
schema 1.1
# user = users from the customer's organization
type user
# employee = employees of the SaaS vendor
type employee
# application = internal applications that need to perform maintenance tasks
type application
# top level type where we define system administrators, note that we are only defining
# superadmins but there could be other roles that would have restricted permissions
type system
relations
define admin : [employee, application]
# organization represent the SaaS customer
type organization
relations
define system : [system]
# system admins have the same permissions in the organization as
# customer admins
define admin : [user] or admin from system
define member : [user]
# we could define helpdesk members at the system level too without
# a time expiration, but time bounding access help desk access
# for a specific customer is a better security practice
define helpdesk_member : [employee with non_expired_time_grant]
define can_create_project : admin or member
type project
relations
define organization : [organization]
define owner : [user]
# admins from the organization have editor permission in all projects
define editor : [user] or owner or admin from organization
define viewer : [user] or editor or helpdesk_member from organization
type task
relations
define project: [project]
define owner : [user]
# tasks inherit the system admins + helpdesk member permissions from the project
define editor : [user] or editor from project
define viewer : [user] or editor or viewer from project
condition non_expired_time_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
current_time < grant_time + grant_duration
}
tuples:
# we define a user and an application as 'super admins'
- user: employee:anne
relation : admin
object: system:global
- user: application:system-management-app
relation : admin
object: system:global

# this tuple connects the global 'system' with each organization, and needs to be created
# for all organizations
- user: system:global
relation: system
object: organization:acme

# we grant access to a help desk user for 1 hour
- user: employee:john
relation: helpdesk_member
object: organization:acme
condition:
name: non_expired_time_grant
context:
grant_time : "2024-01-01T00:00:00Z"
grant_duration : 1h

# peter is the organization's admin
- user: user:peter
relation: admin
object: organization:acme

# we add the tuples for the project and for a task in the project
- user: organization:acme
relation: organization
object: project:openfga

- user: project:openfga
relation: project
object: task:create-example

tests:
- check:
# anne is a super admin, has full access
- user: employee:anne
object: task:create-example
assertions:
viewer: true
editor: true

# peter is an admin in the organization, has full access
- user: user:peter
object: task:create-example
assertions:
viewer: true
editor: true

# the system application has full access
- user: application:system-management-app
object: task:create-example
assertions:
viewer: true
editor: true

# john only has temporary access as viewer
- user: employee:john
object: task:create-example
context:
current_time: "2024-01-01T00:10:00Z"
assertions:
viewer: true
editor: false





0 comments on commit 23cf1ed

Please sign in to comment.