Skip to main content

Warrants

Warrants are the access control policies used to enforce access to an application. You can think of them as rules that specify relationships (ex: store A is parent of item 123) or access privileges (user 34 is owner of store 15). Warrants must adhere to your system's object type definitions and are used at runtime to check user access.

There are 2 types of warrants: user warrants and userset warrants.

User Warrants

User warrants specify a relationship between a specific user and an object. User warrants are useful for implementing fine grained access control where each user can have different privileges on an object. For example, we can define a user warrant that specifies user1 is a member of the 'admin' group:

{
"objectType": "group",
"objectId": "admin",
"relation": "member",
"user": {
"userId": "1"
}
}

Userset Warrants

Userset warrants specify a relationship between a userset (a set of users that match a given relation) and an object. Userset warrants are useful for implementing less granular access control schemes like Role Based Access Control (RBAC), where users belong to groups (or roles) and privileges are assigned to groups instead of directly to users. For example, we can define a userset warrant that specifies any member of the 'admin' group can edit report 1:

{
"objectType": "report",
"objectId": "1",
"relation": "editor",
"user": {
"objectType": "group",
"objectId": "admin",
"relation": "member"
}
}

Creating and Managing Warrants

Warrants can be created directly in the Warrant dashboard or programmatically via API. Check out the API Reference for more details.