Skip to main content

Graph of relations

The relationships of the access control list used by Ory Permissions can be represented as a graph of relations.

Definition

The graph consists of three types of nodes:

Edges are directed and represent the relation between an object and subject.

Example

The following example translates a view relationships into a graph of relations.

note

This example omits the namespace from all data to improve readability. In practice, the namespace always has to be considered.

// User:1 has access on Dir:1
Dir:1#access@User:1

// This is an empty relation.
Dir:1#child@(File:1#)

// Everyone with access to Dir:1 has access to File:1.
File:1#access@(Dir:1#access)

// Direct access on File:2 was granted.
File:2#access@User:1

// User:2 is owner of File:2
File:2#owner@User:2

// Owners of File:2 have access to it; possibly defined through subject set rewrites.
File:2#access@(File:2#owner)

This is represented by the following graph:

note

Solid edges represent explicitly defined relations, while dotted edges represent relations inherited through a subject set.

Ory Permissions utilizes the following key properties of the graph of relations:

  • Edges directed from objects to subjects

    This implies a neat arrangement with objects in one region, subject IDs in another one, and subject sets in between. Edges will always go from the object region towards the subject region.

  • Searching for a possible path is local

    Trying to find a path from an object to a subject will always happen locally. This means that it's only necessary to traverse the nodes that are successors of the object. In typical setups, this means that only a small fraction of the graph has to be searched, regardless of the outcome. The intuition here is that the relations of User:1's files are irrelevant when checking access to User:2's files.