Skip to main content

Warrants

Warrants are the access control policies used to enforce access within an application. You can think of them as the rules that specify which relationships (ex: [store:A] is [parent] of [item:123]) exist between objects in your system. Warrants must adhere to your system's object type definitions and are used at runtime to check user access.

Each warrant is composed of an object (identified by an objectType and an objectId), a relation (which must one of the relations defined on the object type) and a subject (which is another object or a set of objects for which the relation will apply).

For example, the following warrant specifies that [store:A] is [parent] of [item:123]:

{
"objectType": "item",
"objectId": "123",
"relation": "parent",
"subject": {
"objectType": "store",
"objectId": "A"
}
}

Direct Warrants

Direct warrants explicitly specify a relationship between two specific objects. They're especially useful for implementing fine grained access control where all relationships between objects must be specified explicitly. For example, we can define a warrant specifying that [user:1] is a [member] of [role:admin]:

{
"objectType": "role",
"objectId": "admin",
"relation": "member",
"subject": {
"objectType": "user",
"objectId": "1"
}
}

Indirect Warrants

There may be cases where we want to specify a relationship between an object and a subject without specifying exactly which subject the relation should apply to. This is especially useful for implementing less granular access control schemes like role based access control (RBAC), where users are grouped into roles and permissions are assigned to roles instead of being directly assigned to users. For example, we can define an indirect warrant specifying that [a member of role:admin] can [edit] [report:1]:

{
"objectType": "report",
"objectId": "1",
"relation": "editor",
"user": {
"objectType": "role",
"objectId": "admin",
"relation": "member"
}
}

Creating and Managing Warrants

Warrants can be created directly in the Warrant dashboard or programmatically via API. Check out the API Reference for more details.