{"id":28155897,"url":"https://github.com/tchoutri/acl","last_synced_at":"2025-05-15T07:16:35.121Z","repository":{"id":287253613,"uuid":"964011435","full_name":"tchoutri/acl","owner":"tchoutri","description":"Haskell model of Zanzibar","archived":false,"fork":false,"pushed_at":"2025-04-29T13:07:12.000Z","size":77,"stargazers_count":0,"open_issues_count":2,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-29T13:44:45.877Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/tchoutri.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-04-10T14:53:37.000Z","updated_at":"2025-04-20T19:20:16.000Z","dependencies_parsed_at":"2025-04-29T13:35:57.835Z","dependency_job_id":"8f949665-4361-4c9d-abeb-a0306c286578","html_url":"https://github.com/tchoutri/acl","commit_stats":null,"previous_names":["tchoutri/acl"],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tchoutri%2Facl","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tchoutri%2Facl/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tchoutri%2Facl/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/tchoutri%2Facl/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/tchoutri","download_url":"https://codeload.github.com/tchoutri/acl/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254292101,"owners_count":22046428,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-05-15T07:14:48.264Z","updated_at":"2025-05-15T07:16:35.096Z","avatar_url":"https://github.com/tchoutri.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# ACL\n\nThis package models an Access Control List (ACL) system with Google's [Zanzibar] as its main inspiration.\n\nExamples are taken from Okta's [OpenFGA Sandbox].\n\n## Terminology\n\nACL entries are three-tuples of an object, a relation and a subject (called subject in the Zanzibar paper).\n\nA subject is the entity whose access of the object is being controlled. This is very close to how the grammar of some Western European languages work: subject, verb and object\n\nThe way to represent tuples is the following:\n\n```\n⟨tuple⟩ = ⟨object⟩#⟨relation⟩@⟨subject⟩\n\n⟨object⟩ = ⟨namespace⟩:⟨object-id⟩\n\n⟨subject⟩ = ⟨subject-id⟩ | ⟨subject-set⟩\n\n⟨subject-set⟩ = ⟨object⟩#⟨relation⟩\n```\n\nSubjects can be directly identified by their subject identifier (`⟨subject-id`), or by a `⟨subject-set⟩`. From the Zanzibar paper:\n\n\u003e [⟨subject-set⟩] allows ACLs to refer to groups and thus supports representing nested group membership\n\n### Examples\n\n\u003cdl\u003e\n    \u003cdt\u003e 1. doc:readme#owner@user:10\n    \u003cdd\u003e User 10 has the \u003cb\u003eowner\u003c/b\u003e relationship to the \u003cb\u003ereadme\u003c/b\u003e object in the \u003cb\u003edoc\u003c/b\u003e namespace\n\u003c/dl\u003e\n\n\u003cdl\u003e\n    \u003cdt\u003e 2. group:eng#member@user:11\n    \u003cdd\u003e User 11 has the \u003cb\u003emember\u003c/b\u003e relationship to the \u003cb\u003eeng\u003c/b\u003e object in the \u003cb\u003egroup\u003c/b\u003e namespace\n\u003c/dl\u003e\n\n\u003cdl\u003e\n    \u003cdt\u003e 3. doc:readme#viewer@group:eng#member\n    \u003cdd\u003e Members of group \u003cb\u003eeng\u003c/b\u003e are \u003cb\u003eviewers\u003c/b\u003e of \u003cb\u003edoc:readme\u003c/b\u003e\n\u003c/dl\u003e\n\n## Relationships\n\n### Direct relationships\n\nThe building block of an ACL is the declaration of a relationship between a subject and an object.\n\nSee Example 1.\n\n### Computed relationships\n\nIn order to avoid storage waste, it is interesting to be able to specify transitive relations based on previously-declared relations.  \nFor instance, an ACL modeling permissions on a document (reading, writing, admininistration) would benefit from\ngiving the writing permission to administrators, and reading permission to writers. This significantly reduces the number of tuples, as we go from:\n\n```\ndoc:document1#admin@user:Théophile\ndoc:document1#writer@user:Théophile\ndoc:document1#reader@user:Théophile\n\ndoc:document1#writer@user:Léa\ndoc:document1#reader@user:Léa\n\ndoc:document1#reader@user:Nour\n```\n\nto\n```\ndoc:document1#admin@user:Théophile\n\ndoc:document1#writer@user:Léa\n\ndoc:document1#reader@user:Nour\n```\n\nbut the admin and writer retain their transitive permissions.\n\nThis kind of ACL check is resolved through the usage of a \"rewrite rule\" that expresses the inheritance of  the \"reader\" relationship to the document by the \"writer\", and that of the \"writer\" by the \"admin\".\n\nExpanding a rewrite rule provides more users in which to search for a permission match. Thus, the final set of users is not only `readers` but `readers ∪ writers ∪ admins`.\n\n### Indirect Hierarchical Relationships\n\nIn order to further reduce the amount of tuples stored, and lower the maintenance burden, it is also interesting to grant permissions to other relations defined elsewhere.\nFor instance, the `reader` relation can be defined in terms of the membership to a group:\n\n```\ndoc:document1#reader@group:guests#member\n```\n\n[Zanzibar]: https://storage.googleapis.com/gweb-research2023-media/pubtools/5068.pdf\n[OpenFGA Sandbox]: https://play.fga.dev/sandbox/?store=entitlements\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftchoutri%2Facl","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftchoutri%2Facl","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftchoutri%2Facl/lists"}