Atlantis OpenFGA model
To test the model run:
fga model test --tests test.fga.yaml
Writing tuples
Add user:john@example.no as a member of organisation group:/example
fga tuple write user:john@example.no member group:/example
Add as active or registered:
fga tuple write user:john@example.no active user:john@example.no
fga tuple write user:john@example.no registered user:john@example.no
A more complex write operation:
fga tuple write group:/stim#member view archive:23feab9e-e9af-49fd-a740-33c0b63ffd0b --condition-name term --condition-context '{"start_time": "2025-03-18T00:00:00Z", "end_time": "2025-05-01T00:00:00Z"}'
To write a group of tuples, specify a file that contains those tuples. Here with .csv file:
fga tuple write --file ohs.csv
Deleting a tuples
Delete user:john@example.no as a member of organisation group:/example
fga tuple delete user:john@example.no member group:/example
To delete a group of tuples, specify a file that contains those tuples. Here with .csv file:
fga tuple delete --file ohs.csv
Query objects
List all objects from an archive, with group views
fga query list-objects archive:40d3f9cf-90bc-4aa0-b4d3-62d066d42bd9
fga query list-objects 'group' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
fga query list-objects 'group:/leroy#member' view archive:fa4ecc27-ba1f-484f-a40b-8e3c1d8f5349
How to add a new customer
To add a new customer, you need to define relationships between users, groups, and organizations.
Here's an example of adding a customer named example, given an archive with ID f971f6bd-1bb1-4ca5-98d0-c7482a1cc867, two users john and jane with their respective email addresses and a time-based condition for group membership (2023-06-23 to 2023-07-07).
- Create a CSV file (e.g.,
csv/customer/example.csv) with the following content:
user_type,user_id,relation,object_type,object_id,condition_name,condition_context
system,atlantis,parent,organization,example,, # Establishes the system "atlantis" as a parent of the "example" organization
organization,example,parent,group,/example,, # Sets the "example" organization as a parent of the group "/example"
domain,example.no,realm,organization,example,,# Associates the domain "example.no" with the "example" organization
# Gives the "/example#member" group view access to a specific archive with a time-based condition
group,/example#member,view,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,term,"{""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Gives the "/example#member" group execution rights to the same archive with quota and time conditions
group,/example#member,exec,archive,f971f6bd-1bb1-4ca5-98d0-c7482a1cc867,ticket,"{""tasks"": [ ""*"" ], ""quota"": ""-1.0"", ""start_time"": ""2025-06-23T00:00:00Z"", ""end_time"": ""2025-07-07T00:00:00Z""}"
# Create the user "john@example.no" with active status, registered status, and group membership
user,john@example.no,active,user,john@example.no,,
user,john@example.no,registered,user,john@example.no,,
user,john@example.no,member,group,/example,,
# Create the user "jane@example.no" with active status, registered status, and group membership
user,jane@example.no,active,user,jane@example.no,,
user,jane@example.no,registered,user,jane@example.no,,
user,jane@example.no,member,group,/example,,
- Write all the tuples to OpenFGA with a single command:
$ fga tuple write --file csv/customer/example.csv
- Impersonate the added/removed customer to check the set permissions.
Use \impersonate?user=john@example.no in maps.oceanbox.io to tempeorarily get the permissions of the new customer
and check if the correct archives modelareas are added. Then \unimpersonate can be used to get back your usual access.