Skip to main content

Build Access Control with Rego

Common Model

While authorization models are varied, the basic building blocks of access control decisions commonly refer to subject, action, and resource.

Subject

The actor of an access control decision: a human operating a browser, or a program using an API (e.g. "alice", "bob").

Resource

The object that is acted on (e.g. "picture", "profile", "bank account").

Action

The act of the access control decision: how a resource is referred to (e.g. "read", "delete", "update").

In the how-tos of the various policy models (RBAC, ABAC, ReBAC), we'll assume that data.common contains subject, action, and resource.

How the subject/action/resource relates to the policy input depends on the deployment scenario, see these examples:

If the access tuple is provided as-is in the policy input JSON

{
"subject": "alice",
"action": "delete",
"resource": "dog"
}

it can be used as-is from input:

package common

import rego.v1

subject := input.subject

action := input.action

resource := input.resource

Access Control Models