Authorization models
NativeSqlEngine evaluates three classical authorization models in one pass. This page defines each
formally and shows how they combine. The runtime is in the PDP decision pipeline.
The decision, abstractly
A decision is a function of a subject
and a request context
Three sources can each grant; the combiner is deny-overrides:
RBAC — role-based
The subject’s roles — direct and inherited — grant permissions by slug. Let
to
and
Roles and their inheritance come from applied manifests. warehouse:supervisor that inherits
warehouse:operator contributes both role’s permissions to the closure.
ABAC — attribute-based
A permission may carry a declared condition — a predicate over request attributes. ConditionEvaluator
evaluates it against the context
ABAC grants
with a failing condition does not grant — and the failed condition is reported in
Decision::$failedConditions.
Conditions are declared in the manifest as { "attr": ..., "op": ..., "value": ... }. Supported operators
are deterministic comparisons (ordering, equality, membership, time windows) — no arbitrary code.
ReBAC — relationship-based
Access can follow from a relationship to a specific resource. Relationships are tuples
where parent) and
relation implication (
is depth-bounded and cycle-guarded; exceeding the bound yields deny. Full treatment in
ReBAC relationships.
Combining them
The combiner is monotone in deny: adding any policy can only keep a result the same or turn it to deny.
That is what makes the engine safe to extend — a new policy can never silently widen access past an existing
deny.
ADR — one engine, not three
Problem. RBAC, ABAC and ReBAC are often separate systems, producing three answers a caller must
reconcile — and three audit trails.
Decision. Evaluate all three in a single NativeSqlEngine::decide pass that emits one Decision with
one explanation and one decisionId.
Consequences. A single, citable answer; deny-overrides applied uniformly across models; no reconciliation
bugs. The trade-off is a more complex engine, contained behind the AuthorizationEngine interface.
RBAC establishes that a subject could hold
Never infer “allowed” from “has the role” — always ask the PDP with the real context.
Next
- Deny-overrides & fail-closed — the safety semantics in full.
- Manifests & declared policy — where roles and conditions come from.
- PDP decision pipeline — the engine at runtime.