Skip to main content

Permissions

A relation type can optionally include named permissions. This provides a layer of indirection, which allows a relation type (commonly referred to as a "role") to aggregate a set of permissions.

Note that the relationship between relation types and permissions is "many to many" - meaning, a permission can be referenced by more than one relation type.

Aserto supports checking whether a user has a relationship to an object (e.g. an organization). It also supports checking whether a user has a permission on an object. This check returns "true" if ANY of the relations that the user has to this object contains the specified permission.

For example, the "owner", "editor", and "viewer" relation types that we created for the "organization" object type can all contain the "read" permission. If a user has a relation of any of these relation types to a particular organization instance, then they have the "read" permission.

Create permissions

Let's create four permissions: "create", "delete", "edit", and "view". We can then associate each of these permissions with one or more relations.

Click the Permissions tab in the directory sidebar, and the Organization label. We don't yet have any permissions defined.

org-empty-permissions

Click the "Add" button to add the four permissions.

org-create-permission

We should now have four permissions:

org-four-permissions

Assign permissions to relations

In order to associate a permission to one or more relation types, simply click the permission checkbox. Let's associate the "view" permission with all three relations; the "edit" permission with the "editor" and "owner" relation; and the "create" and "delete" permissions with the "owner" relation.

org-assign-permissions

Next, let's grant users access to the organizations we created.