Skip to content

Added a delegate relation for the banking example #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
aaguiarz merged 1 commit into from
Mar 14, 2025
Merged

Added a delegate relation for the banking example #50

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion stores/banking/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@

## Use-Case

It models a banking system, with account managers and account owners, where they have different limits for doing bank transactions. The limit can be overruled for a specific transaction.
It models a banking system with account managers and account owners, each having different transaction limits. A specific transaction's limit can be overruled when necessary. An account owner can delegate access to other users.

The model, tuples and unit tests are detailed in [store.fga.yaml](./store.fga.yaml).

Expand Down
26 changes: 24 additions & 2 deletions stores/banking/store.fga.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ model: |
schema 1.1

type employee

type customer

# We need a global Bank type where we define all customers and the transfer limit policy
Expand All @@ -22,8 +23,11 @@ model: |
define owner : [customer]
define account_manager : [employee]

# The customer can delegate access to another customer
define delegate: [customer]

# The bank transfer permission is conditioned to the policy assigned to customers or account managers.
define can_make_bank_transfer : (owner or account_manager) and transfer_limit_policy from bank
define can_make_bank_transfer : (owner or account_manager or delegate) and transfer_limit_policy from bank

# The policy has a maximum limit depending that can be overruled for a specific transaction.
condition transfer_limit_policy(transaction_amount: double, transaction_limit: double, new_transaction_limit_approved: double) {
Expand Down Expand Up @@ -54,6 +58,11 @@ tuples:
relation: customer
object: bank:acme

# Peter is bank Acme's customer
- user: customer:peter
relation: customer
object: bank:acme

# Anne is bank Acme's employee that's an account manager
- user: employee:bob
relation: account_manager
Expand All @@ -74,6 +83,11 @@ tuples:
relation: account_manager
object: account:123

# Peter is a delegate for the `123` account
- user: customer:peter
relation: delegate
object: account:123

tests:
- name: Test bank transfers from customers
check:
Expand All @@ -84,7 +98,15 @@ tests:
new_transaction_limit_approved : 0
assertions:
can_make_bank_transfer: true


- user: customer:peter
object: account:123
context:
transaction_amount: 10
new_transaction_limit_approved : 0
assertions:
can_make_bank_transfer: true

- user: customer:anne
object: account:123
context:
Expand Down