refactor(backend): extend FGA model with all the requirements [WIP 4]

Dam-99 · Dam-99 · commit e870eab7938e · 2026-05-04T11:57:10.000+02:00
Part 4 of refactor

Signed-off-by: Damiano Mason &lt;damiano.mason@secomind.com&gt;
diff --git a/backend/priv/fga/model.fga b/backend/priv/fga/model.fga
@@ -6,7 +6,8 @@
 # TODO: update all comments, or remove them
 # TODO: make sure all resources have owners/admins/editors, and that there are 'can_'
 # relations for all relevant operations on them,
-# including managing roles operations (? no, i think this will go to portal)
+# including managing roles operations (or maybe this will go to portal?)
+# TODO: formatting/alignment
 
 model
   schema 1.1
@@ -45,9 +46,8 @@ type tenant
     define is_admin:    admin or owner
     define is_owner:    owner
 
-    # Blacklist per-tenant
+    # Blacklist roles per-tenant
     define realm_blacklisted: [user]
-    # define device_blacklisted: [user]
     define system_model_blacklisted: [user]
     define hardware_type_blacklisted: [user]
     define base_image_collection_blacklisted: [user]
@@ -56,8 +56,6 @@ type tenant
     define network_blacklisted: [user]
     define container_blacklisted: [user]
     define application_blacklisted: [user]
-    # define release_blacklisted: [user]
-    # define deployment_blacklisted: [user]
     define channel_blacklisted: [user]
     define device_group_blacklisted: [user]
     define campaign_blacklisted: [user]
@@ -75,24 +73,13 @@ type tenant
     define can_delete_realm:    (realm_owner or is_admin) but not realm_blacklisted
     define can_delete_all_realms:  is_admin but not realm_blacklisted
 
-    ## ---- Devices ----
-    # queste credo che possano essere ottentute in altri modi tramite il realm
-    # però possono servire per blacklist
-    # define can_view_all_devices: can_view_all_realms
-    # define can_rename_all_devices: can_view_all_devices and can_edit_all_realms
-    # define can_edit_tags_all_devices: can_view_all_devices and can_edit_all_realms
-    # define can_access_terminal_all_devices: can_view_all_realms and can_edit_all_realms
-    # define can_update_all_devices: can_view_all_realms and can_edit_all_realms
-    # define can_identify_devices: can_view_all_realms and can_edit_all_realms
-
-
     ## ---- System models ----
     define system_model_creator: [user]
     define system_model_viewer:  [user]
     define system_model_editor:  [user]
     define system_model_deleter: [user]
 
-    define can_create_system_model:      system_model_creator or system_model_editor
+    define can_create_system_model:      (system_model_creator or system_model_editor) but not system_model_blacklisted
     define can_view_all_system_models:   (system_model_viewer or system_model_editor or system_model_creator or system_model_deleter) but not system_model_blacklisted
     define can_edit_all_system_models: system_model_editor but not system_model_blacklisted
     define can_delete_all_system_models: system_model_deleter but not system_model_blacklisted
@@ -103,105 +90,100 @@ type tenant
     define hardware_type_editor:  [user]
     define hardware_type_deleter: [user]
 
-    define can_create_hardware_type:      hardware_type_creator or hardware_type_editor
+    define can_create_hardware_type:      (hardware_type_creator or hardware_type_editor) but not hardware_type_blacklisted
     define can_view_all_hardware_types:   (hardware_type_viewer or hardware_type_editor or hardware_type_creator or hardware_type_deleter) but not hardware_type_blacklisted
     define can_edit_all_hardware_types: hardware_type_editor but not hardware_type_blacklisted
     define can_delete_all_hardware_types: hardware_type_deleter but not hardware_type_blacklisted
 
     ## ---- Base image collections ----
+    define base_image_collection_creator:      [user]
     define base_image_collection_viewer:       [user]
     define base_image_collection_editor:       [user]
-    define base_image_collection_creator:      [user]
     define base_image_collection_deleter:      [user]
     define base_image_collection_image_adder:  [user]
     define base_image_collection_image_remover:[user]
 
+    define can_create_base_image_collection:      (base_image_collection_creator or base_image_collection_creator or base_image_collection_editor) but not base_image_collection_blacklisted
     define can_view_all_base_image_collections:   (base_image_collection_viewer or base_image_collection_editor or base_image_collection_creator or base_image_collection_deleter) but not base_image_collection_blacklisted
-    define can_create_base_image_collection:      base_image_collection_creator or base_image_collection_editor
     define can_edit_all_base_image_collections: base_image_collection_editor but not base_image_collection_blacklisted
     define can_delete_all_base_image_collections: base_image_collection_deleter but not base_image_collection_blacklisted
     define can_add_image_to_all_collections:      (base_image_collection_image_adder or base_image_collection_editor) but not base_image_collection_blacklisted
     define can_remove_image_from_all_collections: (base_image_collection_image_remover or base_image_collection_editor) but not base_image_collection_blacklisted
 
     ## ---- Image credentials ----
+    define image_credential_creator: [user]
     define image_credential_viewer:  [user]
     define image_credential_editor:  [user]
     define image_credential_deleter: [user]
 
-    # define can_create_image_credential:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_image_credential:  (image_credential_creator or image_credential_editor or is_admin) but not image_credential_blacklisted
     define can_view_all_image_credentials:   (image_credential_viewer or image_credential_editor or image_credential_deleter) but not image_credential_blacklisted
     define can_edit_all_image_credentials: image_credential_editor but not image_credential_blacklisted
     define can_delete_all_image_credentials: image_credential_deleter but not image_credential_blacklisted
 
     ## ---- Volumes ----
+    define volume_creator: [user]
     define volume_viewer:  [user]
     define volume_editor:  [user]
     define volume_deleter: [user]
 
-    # define can_create_volume:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_volume:  (volume_creator or volume_editor or is_admin) but not volume_blacklisted
     define can_view_all_volumes:   (volume_viewer or volume_editor or volume_deleter) but not volume_blacklisted
     define can_edit_all_volumes: volume_editor but not volume_blacklisted
     define can_delete_all_volumes: volume_deleter but not volume_blacklisted
 
     ## ---- Networks ----
+    define network_creator: [user]
     define network_viewer:  [user]
     define network_editor:  [user]
     define network_deleter: [user]
 
-    # define can_create_network:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_network:  (network_creator or network_editor or is_admin) but not network_blacklisted
     define can_view_all_networks:   (network_viewer or network_editor or network_deleter) but not network_blacklisted
     define can_edit_all_networks: network_editor but not network_blacklisted
     define can_delete_all_networks: network_deleter but not network_blacklisted
 
     ## ---- Containers ----
+    define container_creator: [user]
     define container_viewer:  [user]
     define container_editor:  [user]
     define container_deleter: [user]
 
-    # define can_create_container:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_container:  (container_creator or container_editor or is_admin) but not container_blacklisted
     define can_view_all_containers:   (container_viewer or container_editor or container_deleter) but not container_blacklisted
     define can_edit_all_containers: container_editor but not container_blacklisted
     define can_delete_all_containers: container_deleter but not container_blacklisted
 
     ## ---- Applications ----
+    define application_creator: [user]
     define application_viewer:  [user]
     define application_editor:  [user]
-    define application_creator: [user]
     define application_deleter: [user]
 
+    define can_create_application:      (application_creator or application_editor or is_admin) but not application_blacklisted
     define can_view_all_applications:   (application_viewer or application_editor or application_creator or application_deleter) but not application_blacklisted
-    define can_create_application:      application_creator or application_editor
     define can_edit_all_applications: application_editor but not application_blacklisted
     define can_delete_all_applications: application_deleter but not application_blacklisted
 
-    ## ---- Releases ----
-    # TODO
-    # define can_create_release:  (editor or is_admin) from tenant #? maybe a role?
-
-    ## ---- Deployments ----
-    # TODO
-
     ## ---- Channels ----
     define channel_viewer:  [user]
     define channel_editor:  [user]
     define channel_creator: [user]
     define channel_deleter: [user]
 
-    # define can_create_channel:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_channel:  (channel_creator or channel_editor or is_admin) but not channel_blacklisted
     define can_view_all_channels:   (channel_viewer or channel_editor or channel_creator or channel_deleter) but not channel_blacklisted
-    define can_create_channel:      channel_creator or channel_editor
     define can_edit_all_channels: channel_editor but not channel_blacklisted
     define can_delete_all_channels: channel_deleter but not channel_blacklisted
 
     ## ---- Device groups ----
+    define device_group_creator: [user]
     define device_group_viewer:  [user]
     define device_group_editor:  [user]
-    define device_group_creator: [user]
     define device_group_deleter: [user]
 
-    # define can_create_device_group:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_device_group:  (device_group_creator or device_group_editor or is_admin) but not device_group_blacklisted
     define can_view_all_device_groups:   (device_group_viewer or device_group_editor or device_group_creator or device_group_deleter) but not device_group_blacklisted
-    define can_create_device_group:      device_group_creator or device_group_editor
     define can_edit_all_device_groups: device_group_editor but not device_group_blacklisted
     define can_delete_all_device_groups: device_group_deleter but not device_group_blacklisted
 
@@ -211,7 +193,7 @@ type tenant
     define campaign_creator: [user]
     define campaign_deleter: [user]
 
-    # define can_create_campaign:  (editor or is_admin) from tenant #? maybe a role?
+    define can_create_campaign:  (campaign_creator or campaign_editor or is_admin) but not campaign_blacklisted
     define can_view_all_campaigns:  (campaign_viewer or campaign_editor or campaign_creator or campaign_deleter) but not campaign_blacklisted
     define can_create_firmware_upgrade_campaign: campaign_creator or campaign_editor
     define can_create_deployment_campaign: campaign_creator or campaign_editor
@@ -297,7 +279,7 @@ type device
     ## General per-device roles
     define owner:      [user]
     define admin:      [user]
-    define editor:     [user] # TODO: probs reconcile this with all the separate permissions
+    define editor:     [user]
     define viewer:     [user]
     define blacklisted: [user] or device_blacklisted from realm
 
@@ -571,17 +553,18 @@ type deployment
     ## Assignable roles
     define owner:   [user]
     define admin:   [user]
-    define manager: [user] # TODO: editor? also, aggiungere ruoli separati per le diverse cose?
+    define manager: [user] # basically editor
     define viewer:  [user]
+    define blacklisted: [user] but not (blacklisted from release or blacklisted from device)
 
     ## Computed permissions
-    define can_view:      viewer or manager or admin or owner or (can_view from device and can_view from release) or can_view from tenant
-    define can_start_stop: manager or admin or owner or can_edit from tenant
-    define can_upgrade:    manager or admin or owner or can_edit from tenant
-    define can_delete:     manager or admin or owner or can_edit from tenant
+    define can_view:      (viewer or manager or admin or owner or (can_view from device and can_view from release) or can_view from tenant) but not blacklisted
+    define can_start_stop: (manager or admin or owner or can_edit from tenant) but not blacklisted
+    define can_upgrade:    (manager or admin or owner or can_edit from tenant) but not blacklisted
+    define can_delete:     (manager or admin or owner or can_edit from tenant) but not blacklisted
     ### TODO: queste cose le teniamo in edgehog oppure le lasciamo a portal?
-    define can_set_manager: admin or owner or is_admin from tenant
-    define can_set_viewer:  admin or owner or is_admin from tenant
+    define can_set_manager: (admin or owner or is_admin from tenant) but not blacklisted
+    define can_set_viewer:  (admin or owner or is_admin from tenant) but not blacklisted
 
 ## ---------------------------------------------------------------------------
 ## CAMPAIGN
