Learn the fundamentals of Graph-Based Access Control with an illustrative example.

Fundamentals of GBAC

In Graph-Based Access Control, your authorization model is represented by a graph of objects and one-way edges. The edges represent real-world relationships between the objects. Each edge has a set of attributes, which give users and groups permissions on other objects.

Each object and edge has exactly one “type”. Types define the structure of the authorization model. Each edge type specifies two object types - a source object type and a target object type - and a set of attributes. Edges of a particular type have exactly these attributes and can only link two objects of these two specified types.

Simple Example

To bring this to life, let’s consider a simple, vanilla RBAC scenario. Suppose we are a B2B company with several customers. In our product, we want to support an Admin role for each customer, and a Member role for each customer.

We can model this in GBAC with 2 object types - users and customer_orgs. Every object in our system must have exactly one type, so this should be a mutually exclusive and comprehensively exhaustive (MECE) typing.

For each role, we’ll define one edge type that could link a user with a customer_org. For example, we’ll define an is_admin_of edge type. We’ll attach a bundle of permissions, like manage_members, manage_billing, and view_resources to this edge type.

We’ll then populate our graph with the real-world instances of objects and edges. For example, if Alice is the admin of the Contoso company, we’ll create:

  • One object with object type user to represent Alice
  • One object with object type customer_company to represent Contoso
  • One edge with edge type is_admin_of from Alice to Contoso indicating Alice’s role at Contoso

Adding Complexity

One of the key benefits of using a graph for access control is that graphs are easily extended: as our business grows, we can add complexity to serve new use cases.

  • If we want to give our own employees access to organizations they work with, we can add them to the graph and draw edges to the relevant organizations.
  • If we want to capture relationships, like line management, we can add a "Manager" edge between users and associate new permissions with that edge.
  • If we want to traverse a hierarchy of objects, like files and folders within a customer organization, we can add a "Container" edge and propagate permissions through our hierarchy.

The next article explains the key concepts of graph-based access control in more detail. Click Next to continue.