Conditions?

[konstantinblaesi]

How could conditions such as these in OpenFGA be modeled?

[ogazitt]

Topaz uses Open Policy Agent as the "outer" policy layer. Conditions can easily be modeled using Rego syntax, and the policy can then use the ds.check built-in (or other directory built-ins) inside the policy to combine ABAC-style and ReBAC-style conditions.

Also note that with OpenFGA, state needs to be passed in by the caller, whereas with Topaz, you have the option of storing objects and their properties in the state store. Which means you can write expressions like

allowed {
  order := ds.object({ "type": "order", "id": input.resource.object_id })
  order.value < input.user.properties.approval_limit
  ds.check({
    "subject_type": "user",
    "subject_id": input.user.id,
    "relation": "can_approve",
    "object_type": "order",
    "object_id": input.resource.object_id
  })
}

This essentially means "allow the operation if the user can approve the order, AND the order value is lower than the user's approval limit". As you can see, the approval limit can be stored as a property of the user, and the order value can be stored as a property of an order object.

This reduces the burden on the developer to go fetch all these things and pass them into the authorizer (and therefore reduces the possibility of authorization issues introduced by the application).