[Question] How might I best model temporal entities with temporal relationships?

[byatesrae]

What's your scenario? What do you want to achieve?
I’m after some guidance given I’m struggling to work out how best to model my authorization requirements using Casbin. My own attempt feels like it falls a bit short because I've pushed a lot of the complexity into the matcher leaving the policies themselves seemingly redundant. Any help would be very much appreciated.

Here’s a summary of the entities:

• I have a User with ID, type (customer or admin) & active time range (defined by a start & finish)
• I also have a Store with ID & active time range
• A StoreUser represents a relationship between a User & a Store. It has a userID, storeID & active time range
• User A is allowed to view Store B if:
  • The User A is active & Store B is active & an active StoreUser exists with userID ‘A’ and storeID ‘B’
  • Or, User A has type ‘admin’

A few extra points:

• There are a significant number of Users and Stores. Looking at Casbin docs on performance optimization I’m guessing we don’t want the number of policies to scale with the number of Users & Stores.
• There may be many StoreUser entries for the same User & Store. Each of these will have non-overlapping active time ranges. e.g
  • userID ‘Bob’, storeID ‘BobsBurgers’, active.Start ‘2023-01-01T00:00:00’, active.Finish ‘2023-01-31T23:59:59’
  • userID ‘Bob’, storeID ‘BobsBurgers’, active.Start ‘2023-03-04T12:09:00’, active.Finish ‘2023-03-31T23:59:59’

Your model:

[request_definition]
r = sub, obj, act, user, store

[policy_definition]
p = sub, obj, act

[role_definition]
g = _, _

[policy_effect]
e = some(where (p.eft == allow))

[matchers]
m = g(r.sub, p.sub) && r.obj == p.obj && r.act == p.act && isActive(r.user.active) && isActive(r.store.active) && (r.user.type == "admin" || isActiveStoreUser(r.user,r.store))

Your policy:

p, customer, stores, read
p, admin, stores, read

g, alice, admin
g, bob, customer

Your request(s):

Assuming these request were made at “2023-01-20T00:00:00”....

// expected: true (store is active, alice is active & alice is admin)
alice, stores, read, {type: "admin", id: "alice", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}, {id: "AndysApples", users:[], active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}

// expected: false (store is not active)
alice, stores, read, {type: "admin", id: "alice", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}, {id: "AndysApples", users:[], active: {start: "2023-01-01T00:00:00", finish: "2023-01-15T23:59:59"}}

// expected: false (bob is not a StoreUser)
bob, stores, read, {type: "customer", id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}, {id: "AndysApples", users:[], active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}

// expected: false (alice is not active)
alice, stores, read, {type: "admin", id: "alice", active: {start: "2023-01-01T00:00:00", finish: "2023-01-15T23:59:59"}}, {id: "BobsBurgers", users:[{id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-15T23:59:59"}}], active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}

// expected: false (bob is not an active StoreUser)
bob, stores, read, {type: "customer", id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}, {id: "BobsBurgers", users:[{id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}], active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}

// expected: true (store is active, bob is active & bob is an active StoreUser)
bob, stores, read, {type: "customer", id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}, {id: "BobsBurgers", users:[{id: "bob", active: {start: "2023-01-01T00:00:00", finish: "2023-01-15T23:59:59"}}], active: {start: "2023-01-01T00:00:00", finish: "2023-01-31T23:59:59"}}

[casbin-bot]

@tangyang9464 @JalinWang