A delegated administration example with permit.io

Role-based and relationship-based access control

This example outlines current access controls for Admin, Editor, and Viewer roles across Organization, Project, Application, and Environment resources. Permissions are enforced through calls to an Open Policy Agent (OPA) server, which serves as the Policy Decision Point (PDP) located within the same Kubernetes cluster as the application. Policy updates are orchestrated through an Open Policy Administration Layer (OPAL), and the application handles policy enforcement.

---
config:
  theme: default
  themeVariables:
    noteBkgColor: white
    noteBorderColor: gray
---
sequenceDiagram
    participant A as Policy Admin (OPAL)
    participant D as Policy Decision (OPA)
    participant E as Policy Enforcement (Application)

    A->>D: Policy updates
    Note over D, E: Local requests
    E->>D: Checks permissions
    Note right of E: User input
    

Note - this page is render via golang and the below polices are checked each time this page renders.

  • fred@initialcapacity.io has the below permissions for the resource -

    Organization:16af5c5e-e6aa-4cd8-a9d0-6541d03c1581

    • organization.create not permitted
    • organization.delete not permitted
    • organization.read permitted
    • organization.update not permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    Project:f5e5338c-b5f3-4768-823c-15863c443010

    • project.create not permitted
    • project.delete not permitted
    • project.read permitted
    • project.update permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    Application:a903d2be-55e7-4703-9525-a7f92075bf62

    • application.create permitted
    • application.delete permitted
    • application.read permitted
    • application.update permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    Environment:fdd20547-40ec-43b9-bf41-03f39c5a2421

    • environment.create permitted
    • environment.delete permitted
    • environment.read permitted
    • environment.update permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    IdentityProvider:0e4d2072-b303-4fae-a755-46ee6a931082

    • identityprovider.create permitted
    • identityprovider.delete permitted
    • identityprovider.read permitted
    • identityprovider.update permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    Project:97819b8e-411e-4702-ad30-d75bf00031cb

    • project.create not permitted
    • project.delete not permitted
    • project.read not permitted
    • project.update not permitted
  • fred@initialcapacity.io has the below permissions for the resource -

    IdentityProvider:dc17acb6-d7a8-46f1-8fdb-c8488fce21ce

    • identityprovider.create not permitted
    • identityprovider.delete not permitted
    • identityprovider.read not permitted
    • identityprovider.update not permitted