To do so, it provides the Ory Permission Language that is a very small subset of
typescript that provides a way to declare classes that implement the concept of
Namespace, relationship between those and predicate permissions on them.
It is meant to be used independently of the other components, like hydra.
As we can see in the above sequence diagram, they do not even show a possible
use of hydra. That explains why it does not deal with directly integration
custom claims in hydra but instead provides a webhooks mechanism.
In the end, we define the models of Namespace -> relations -> OtherNamespace and
the predicates Namespace.permission(Namespace) that may go through this graph
to answer yes or no.2
The model can also defines relations Namespace -> relations -> SubjectSet<OtherNamespace, "relation"> that means that we can also create
relations between instances of Namespace and instances connected by “relation”
to some instance of OtherNamespace. This allows defining RBAC, for people are
put in groups and groups are linked to roles and then we might want to make
relations such as “people that are members of group admin have role admin” that
would translate into “role:admin is in relation ‘Role -> SubjectSet(Group,
members)’ with the group:admin”. The later is a bit weaker because it does not
say that the relation “SubjectSet<Group, members>” is about Users, but this is
admittedly easily inferred by the language..
Then, we instantiate subjects, objects and relations and ask keto whether an
instance (called an objects) of a OtherNamespace may grant a permission on
another instance (called a subject) of a Namespace.3
In fact, the documentation does not say much about how to instantiate users
Namespaces. There are examples4, 5 of defined relations. I assume that
we only define relations. After all, because it is a simple graph database
without data associated with the nodes, you can simple define edges and not the
nodes.
Ory Permission Language
Namespace
Relationship
Relationships are facts about entities stored in Ory Permissions. A
relationship consists of three elements: an object entity, a relation string,
and a subject entity.
Ory Keto Permission Server, is the first open-source implementation of the
design principles and specifications described in Zanzibar: Google’s Consistent,
Global Authorization System.
Example of a model in which instances of User may be permitted to view, edit, delete or share instances of Document. Note how the User and the Document
are not ontologicaly different.