How to model indirect relationship that depend on an attribute?

[juanjoDiaz]

Hi,

Thanks for the great work on OpenFGA!

I'm evaluating adopting it and there is one particular use case that I can figure out: How to model indirect relationships that depend on an attribute?

Let's use the Google Drive example: you have users, folders and documents.
By default, when you have access to a folder, you have access to all the folders inside it.
I want to have a setting at folder level to enable visibility of subfolders, i.e.

• Folder A is inside folder B and folder B has "subfolder visibility" set to true.
• User X has access to Folder B. Thus, user X has access to folder A.
• Folder B "subfolder visibility" set to false.
• User X has access to folder B contents but it has no access to folder A contents.

Could this be modelled with the current version of OpenFGA?

[rhamzeh]

Apologies for the late response @juanjoDiaz

This can be modeled in various ways, here's one.

For the sake of brevity, we reduced the scope from the initial drive example.

model
  schema 1.1
  
type user

type folder
  relations
    define owner: [user]
    define parent: [folder]
    define parent-editor: editor from parent and can_access_children from parent
    define editor: [user] or owner or parent-editor
    define parent-viewer: viewer from parent and can_access_children from parent
    define viewer: [user] or owner or editor or parent-viewer
    define can_access_children: [user:*] or owner

Let's say you have:

• folder:A (allows accessing children)
  • folder:AA
• folder:B (does not allow accessing children)
  • folder:BB

Anne owns both parent folders, Beth is an editor on both parent folders

Tuples

[
  {
    "user": "user:anna",
    "relation": "owner",
    "object": "folder:A"
  },
  {
    "user": "user:beth",
    "relation": "editor",
    "object": "folder:A"
  },
  {
    "user": "folder:A",
    "relation": "parent",
    "object": "folder:AA"
  },
  {
    "user": "user:*",
    "relation": "can_access_subfolders",
    "object": "folder:A"
  },
  {
    "user": "user:anna",
    "relation": "owner",
    "object": "folder:B"
  },
  {
    "user": "user:beth",
    "relation": "editor",
    "object": "folder:B"
  },
  {
    "user": "folder:B",
    "relation": "parent",
    "object": "folder:BB"
  }
]

These assertions can validate that model

[
  {
    "tuple_key": {
      "user": "user:beth",
      "relation": "editor",
      "object": "folder:A"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:anna",
      "relation": "editor",
      "object": "folder:A"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:anna",
      "relation": "editor",
      "object": "folder:AA"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:beth",
      "relation": "editor",
      "object": "folder:AA"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:beth",
      "relation": "editor",
      "object": "folder:B"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:anna",
      "relation": "editor",
      "object": "folder:B"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:anna",
      "relation": "editor",
      "object": "folder:BB"
    },
    "expectation": true
  },
  {
    "tuple_key": {
      "user": "user:beth",
      "relation": "editor",
      "object": "folder:BB"
    },
    "expectation": false
  }
]

You can find this in a demo on the FGA Playground here: https://play.fga.dev/stores/create/?id=01H14W9WH6MHRDKPBGMM58Y3NR