Skip to main content

Overview

Authorization is the process of determining whether a user is allowed to perform an action. In the context of Frontier, authorization is the process of determining whether a user is allowed to perform an action on a resource. This is done after the system has already confirmed that user has proven their identity (authentication).

Frontier authorization is based on the Role Based Access Control (RBAC) model. In RBAC, access is granted to users based on their roles. A role is a collection of permissions that can be assigned to a user. Permissions determine what actions are allowed on a resource. When a role is assigned to a user, the user is granted all the permissions that the role contains.

In the Frontier, several key components and concepts come into play for authorization of user request to access resources. Let's first look into how a normal user request flow with Frontier will look like.

sequenceDiagram participant User participant App participant Frontier participant SpiceDB % User->>App: Request Resource App->>Frontier : Authenticate User Frontier->>App: User Authenticated % Note over Frontier,User: Assuming user is authenticated <br/> Now check if user is authorized to access the resource alt Case A: User Unauthorized App->>Frontier : Check User is Authorized Frontier ->>SpiceDB: Check API SpiceDB->>App: Invalid Permission App-->>User: Return Permission Denied else Case B: User Authorized App->>Frontier : Check User is Authorized Frontier->>SpiceDB: Check API SpiceDB->>App: Valid Permission App-->>User: Return Resource end


SpiceDB is Authzed's open source Google Zanzibar inspired permission system which is capable of answering the question like

does <User> have <permission> on <resource>?

Permissions are defined as relationships between Users and resources. A User can be a user, a group, or any other entity that needs to be granted permissions. A resource can be a file, a database, or any other object that needs to be protected.

The SpiceDB permissions system works by first creating a permissions schema that defines the relationships between Users and resources. The relationships between resources and Users used for permissions checks are stored within SpiceDB's data store. The schema is then used to create a graph of permissions, where each node in the graph represents a User or resource, and each edge in the graph represents a permission.

When a permission check is performed, SpiceDB traverses the permissions graph to determine whether the User has the required permission to access the resource.