- Home
- Learn
- SpiceDB Schema Examples
- Caveats (ABAC)
Caveats (ABAC)
Attribute-Based Access Control with CEL caveats. Conditions evaluated at check time, like IP allowlists or rate limits.
Caveats (ABAC)
Attribute-Based Access Control with CEL caveats. Conditions evaluated at check time, like IP allowlists or rate limits.
An entity that can be granted permissions
definition user {}A resource that we are trying to protect
definition document {Users can be made readers of specific documents,
either directly, or only if they have a valid IP, or only if they aren't rate limited.
relation reader: user | user with has_valid_ip | user with not_rate_limitedIf a user has the reder relationship to a specific document, they automatically get permission to view it
permission view = reader
}Only allowed if the IP address is allowed.
We can provide cidr at the time we write the relation, and
we can provide user_ip at the time the CheckPermission is made.
caveat has_valid_ip(user_ip ipaddress, cidr string) {
user_ip.in_cidr(cidr)
}Only allowed if rate limits haven't been exceeded.
We can provide allowed_max at the time we write the relation, and
we can provide current at the time the CheckPermission is made.
caveat not_rate_limited(allowed_max int, current int) {
current < allowed_max
}definition user {}
definition document {
relation reader: user | user with has_valid_ip | user with not_rate_limited
permission view = reader
}
caveat has_valid_ip(user_ip ipaddress, cidr string) {
user_ip.in_cidr(cidr)
}
caveat not_rate_limited(allowed_max int, current int) {
current < allowed_max
}Schemas come from the authzed/examples repository (Apache 2.0). Comments shown alongside the code are the authors' original docstrings.