openfga/README.md

# Atlantis OpenFGA model

To test the model run:

```shell
fga model test --tests test.fga.yaml
```


## Writing tuples

Add `user:john@example.no` as a member of organisation `group:/example`
```console
fga tuple write user:john@example.no member group:/example
```

Add as `active` or `registered`:
```console
fga tuple write user:john@example.no active user:john@example.no
fga tuple write user:john@example.no registered user:john@example.no
```

A more complex write operation:
```console
fga tuple write group:/stim#member view archive:23feab9e-e9af-49fd-a740-33c0b63ffd0b --condition-name term --condition-context '{"start_time": "2025-03-18T00:00:00Z", "end_time": "2025-05-01T00:00:00Z"}'
```

To write a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
fga tuple write --file ohs.csv
```


## Deleting a tuples

Delete `user:john@example.no` as a member of organisation `group:/example`
```console
fga tuple delete user:john@example.no member group:/example
```

To delete a group of tuples, specify a file that contains those tuples. Here with `.csv` file:
```console
fga tuple delete --file ohs.csv
```


## Query objects

List all objects from an `archive`, with `group` views

```console
fga query list-objects archive:40d3f9cf-90bc-4aa0-b4d3-62d066d42bd9
fga query list-objects 'group' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy#member' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
```


## How to add a new customer

To add a new customer, you need to define relationships between users, groups, and organizations.

Here's an example of adding a customer named `example`, given an `archive` with ID `f971f6bd-1bb1-4ca5-98d0-c7482a1cc867`, two users `john and jane` with their respective email addresses and a time-based condition for group membership (`2023-06-23` to `2023-07-07`).

1. Create a CSV file (e.g., `csv/customer/example.csv`) with the following content:

```bash
user_type,user_id,relation,object_type,object_id,condition_name,condition_context
system,atlantis,parent,organization,example,, # Establishes the system "atlantis" as a parent of the "example" organization
organization,example,parent,group,/example,, # Sets the "example" organization as a parent of the group "/example"
domain,example.no,realm,organization,example,,# Associates the domain "example.no" with the "example" organization

# Gives the "/example#member" group view access to a specific archive with a time-based condition
group,/example#member,view,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,term,"{""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Gives the "/example#member" group execution rights to the same archive with quota and time conditions
group,/example#member,exec,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,ticket,"{""tasks"": [ ""*"" ], ""quota"": ""-1.0"", ""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"

#  Create the user "john@example.no" with active status, registered status, and group membership
user,john@example.no,active,user,john@example.no,,
user,john@example.no,registered,user,john@example.no,,
user,john@example.no,member,group,/example,,

# Create the user "jane@example.no" with active status, registered status, and group membership
user,jane@example.no,active,user,jane@example.no,,
user,jane@example.no,registered,user,jane@example.no,,
user,jane@example.no,member,group,/example,,
```

2. Write all the tuples to OpenFGA with a single command:

```console
$ fga tuple write --file csv/customer/example.csv
```

3. Impersonate the added/removed customer to check the set permissions.

Use `\impersonate?user=john@example.no` in `maps.oceanbox.io` to tempeorarily get the permissions of the new customer
and check if the correct archives modelareas are added. Then `\unimpersonate` can be used to get back your usual access.