Use the Multi-tenant RBAC Evaluator
Now that you have created your policy instance, you can test it out with the Evaluator. The Evaluator supports several requests, corresponding to Aserto's authorization APIs - is, decisiontree, and query. The default "Check" request, however, is specifically designed for policy-rebac. Using the Evaluator allows you to quickly verify whether a user has a relationship (or permission) on an object.
The Evaluator has two parts. The REQUEST part on the left is where you specify information about the action being performed, while the OUTPUT on the right displays the body of the request as well as the response.
The table below explains the selection fields.
| Field | Description |
|---|---|
| Subject | The user to evaluate. For Multi-tenant RBAC there are 5 Citadel users that you can select from. |
| Object Type | The type of object to evaluate. For Multi-tenant RBAC this will be Resource. |
| Object | The object instance to evaluate. |
| Relation | Which relation or permission to evaluate. |
Testing the policy
Now let's check a few different scenarios using the Evalator. First, a few important things to note about Rick and Morty:
- Rick is an
adminof the wholesystem. This means that Rick has every permission in the system. - Morty is a
vieweron the system. Morty is also aneditoron theCitadeltenant, and anownerof theCitadel adventuresresource, granting him all permissions on that resource. Morty is also aviewerof theSmithstenant, so the only permission he has on theSmiths family budgetresource is thecan_readpermission.
Scenario 1 - can Rick read the citadel-adventures resource?
- For Subject, select "Rick Sanchez".
- For Object Type, select "Resource".
- For Object, select "The Citadel adventures resource".
- For Relation, select "can_read".
- Click the
Playbutton. - You should see
"is": trueunder results indicating the action will be permitted.
Scenario 2 - can Rick delete the citadel-adventures resource?
- For Subject, select "Rick Sanchez".
- For Object Type, select "Resource".
- For Object, select "The Citadel adventures resource".
- For Relation, select "can_delete".
- Click the
Playbutton. - You should see
"is": trueunder results indicating the action will be permitted.
Scenario 3 - can Morty delete the citadel-adventures resource?
- For Subject, select "Morty Smith".
- For Object Type, select "Resource".
- For Object, select "The Citadel adventures resource".
- For Relation, select "can_delete".
- Click the
Playbutton. - You should see
"is": trueunder results indicating the action will be permitted.
Scenario 4 - can Morty read the smiths-budget resource?
- For Subject, select "Morty Smith".
- For Object Type, select "Resource".
- For Object, select "The Smiths family's budget".
- For Relation, select "can_read".
- Click the
Playbutton. - You should see
"is": trueunder results indicating the action will be permitted.
Scenario 5 - can Morty delete the smiths-budget resource?
- For Subject, select "Morty Smith".
- For Object Type, select "Resource".
- For Object, select "The Smiths family's budget".
- For Relation, select "can_delete".
- Click the
Playbutton. - You should see
"is": falseunder results indicating the action will be denied.
Next steps
Now that you have seen how the policy works, you'll use the Quickstart in the console to download and run the sample back-end API, which uses the multi-tenant policy for access control.
Click on the "Quickstart" tab on the left.
