Skip to main content

Graph of relations

The relationships of the access control list used by Ory Permissions can be represented as a graph of relations.

Definition

The graph consists of three types of nodes:

Edges are directed and represent the relation between an object and subject.

Example

The following example translates a view relationships into a graph of relations.

note

This example omits the namespace from all data to improve readability. In practice, the namespace always has to be considered.

// user1 has access on dir1
dir1#access@user1

// This is an empty relation.
dir1#child@(file1#)

// Everyone with access to dir1 has access to file1.
file1#access@(dir1#access)

// Direct access on file2 was granted.
file2#access@user1

// user2 is owner of file2
file2#owner@user2

// Owners of file2 have access to it; possibly defined through subject set rewrites.
file2#access@(file2#owner)

This is represented by the following graph:

note

Solid edges represent explicitly defined relations, while dotted edges represent relations inherited through a subject set.

Ory Permissions utilizes the following key properties of the graph of relations:

  • Edges directed from objects to subjects

    This implies a neat arrangement with objects in one region, subject IDs in another one, and subject sets in between. Edges will always go from the object region towards the subject region.

  • Searching for a possible path is local

    Trying to find a path from an object to a subject will always happen locally. This means that it's only necessary to traverse the nodes that are successors of the object. In typical setups, this means that only a small fraction of the graph has to be searched, regardless of the outcome. The intuition here is that the relations of user1's files are irrelevant when checking access to user2's files.