>

Apply for $700 in starter credits on AuthZed Cloud

[Apply now]

Caveats (ABAC)

Attribute-Based Access Control with CEL caveats. Conditions evaluated at check time, like IP allowlists or rate limits.

Caveats (ABAC)

Attribute-Based Access Control with CEL caveats. Conditions evaluated at check time, like IP allowlists or rate limits.

An entity that can be granted permissions

definition user {}

A resource that we are trying to protect

definition document {

Users can be made readers of specific documents,
either directly, or only if they have a valid IP, or only if they aren't rate limited.

    relation reader: user | user with has_valid_ip | user with not_rate_limited

If a user has the reder relationship to a specific document, they automatically get permission to view it

    permission view = reader
}

Only allowed if the IP address is allowed.
We can provide cidr at the time we write the relation, and
we can provide user_ip at the time the CheckPermission is made.

  caveat has_valid_ip(user_ip ipaddress, cidr string) {
    user_ip.in_cidr(cidr)
  }

Only allowed if rate limits haven't been exceeded.
We can provide allowed_max at the time we write the relation, and
we can provide current at the time the CheckPermission is made.

  caveat not_rate_limited(allowed_max int, current int) {
    current < allowed_max
  }

Schemas come from the authzed/examples repository (Apache 2.0). Comments shown alongside the code are the authors' original docstrings.