Skip to main content

Role

Roles are one of three building blocks for implementing role based access control. They can be thought of as 'containers' or 'groups' of (typically) users. In most rbac implementations, the set of roles is finite and usually based on some organizational structure and/or role (ex. admin, owner, member etc.). The role object type in Warrant has five relations: parent (direct relation), owner (direct relation), editor, viewer and member. The full representation of the object type is:

{
"type": "role",
"relations": {
"parent": {},
"owner": {},
"editor": {
"type": "anyOf",
"rules": [
{
"type": "userset",
"relation": "owner"
}
]
},
"viewer": {
"type": "anyOf",
"rules": [
{
"type": "userset",
"relation": "editor"
}
]
},
"member": {
"type": "anyOf",
"rules": [
{
"type": "objectUserset",
"relation": "parent",
"userset": {
"type": "userset",
"relation": "member"
}
}
]
}
}
}

Data Integrity

Similar to users and tenants, Warrant operates with 'strict data integrity' with respect to roles. This means that you can only create warrants for roles that exist in Warrant.

However, unlike users and tenants, the expectation is that roles are not already defined in your own system and so do not have to be 'synced' or transferred into Warrant. Instead, you can rely on the RBAC APIs, specifically the Roles API, to manage roles within Warrant.