Permissions Service
The Permissions Service provides fine-grained, relationship-based access control (ReBAC) for the Citadel platform. It is powered by SpiceDB, an implementation of Google's Zanzibar paper.
Overview
While traditional RBAC uses static roles, the Permissions Service allows you to define permissions based on the relationships between users and resources. This is ideal for hierarchical data, ownership models, and sharing mechanisms.
Key Features
- ReBAC via SpiceDB: Handles complex permission graphs with high performance and global consistency.
- Relationship Triples: Define access as triples:
resource:id # relation @ subject:id. - Zanzibar Patterns: Supports features like "Caveats", "Intersection", and "Union" for permission logic.
- Centralized Schema: A single place to define the "laws" of your application's authorization.
How it Works
The service maintains a "Relationship Database" (SpiceDB). When a permission check is required, it performs a graph traversal to determine if a relationship exists between the user and the resource.
Relationship Example
document:readme # viewer @ user:alice
(Alice is a viewer of the document "readme")
Schema Example
definition user {}
definition document {
relation viewer: user
relation owner: user
permission view = viewer + owner
}
API Endpoints
| Endpoint | Method | Description |
|---|---|---|
/check | POST | Check if a subject has a specific permission on a resource. |
/relationships | GET/POST | Manage relationship triples. |
/schema | GET/PUT | View or update the SpiceDB schema. |
/lookup | POST | Find all resources a user has access to, or all users with access to a resource. |
Progressive Integration
- Level 1: Use the Permissions Service to store "Ownership" relationships.
- Level 2: Scale to "Teams" and "Folders" where permissions are inherited.
- Level 3: Use the Policy Service to wrap these checks with attribute-based conditions (ABAC).