jralmaraz
diff --git a/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions b/‎Cargo.toml‎
Lines changed: 1 addition & 0 deletions
diff --git a/‎demos/README.md‎
Lines changed: 192 additions & 1 deletion b/‎demos/README.md‎
Lines changed: 192 additions & 1 deletion
diff --git a/‎demos/banking-app/README.md‎
Lines changed: 105 additions & 1 deletion b/‎demos/banking-app/README.md‎
Lines changed: 105 additions & 1 deletion
@@ -19,3 +19,4 @@ tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 futures = "0.3"
 schemars = "0.8"
+chrono = { version = "0.4", features = ["serde"] }
@@ -1,5 +1,196 @@
 # OpenFGA Operator Demo Applications
 
+This directory contains comprehensive demo applications showcasing the OpenFGA operator's capabilities for implementing fine-grained authorization in real-world scenarios.
+
+## Demo Applications
+
+### 1. Banking Application Demo
+**Location**: `banking-app/`
+
+A comprehensive banking application demonstrating:
+- **RBAC Implementation**: Customer, teller, manager, loan officer, and admin roles
+- **Multi-ownership Support**: Joint accounts with multiple owners and co-owners
+- **Transaction Controls**: Fine-grained permissions for deposits, withdrawals, and transfers
+- **Loan Processing**: Approval workflows with proper authorization chains
+- **Branch-based Security**: Employee access limited to their branch
+
+**Key Features**:
+- Bank-branch-account hierarchy
+- Multi-ownership for joint accounts
+- Role-based transaction permissions
+- Loan officer workflows
+- Manager override capabilities
+
+### 2. GenAI RAG Agent Demo
+**Location**: `genai-rag/`
+
+A Generative AI RAG (Retrieval-Augmented Generation) application demonstrating:
+- **Knowledge Base Management**: Curator, contributor, and reader roles
+- **Document-Level Security**: Individual document permissions with inheritance
+- **Content Filtering**: RAG responses filtered based on document access rights
+- **AI Model Access Control**: Separate permissions for using and configuring models
+- **Session-Based RAG**: Controlled RAG sessions with participant management
+
+**Key Features**:
+- Three-tier role system for knowledge management
+- Document-level permissions with inheritance
+- Content filtering for RAG responses
+- AI model usage and configuration controls
+- Session-based access with intersection permissions
+
+## Architecture
+
+Both demos implement the following architectural patterns:
+
+### Authorization Models
+- **OpenFGA DSL Format**: Complete authorization models in JSON format
+- **Relationship-Based**: Tuples defining relationships between users and resources
+- **Hierarchical Permissions**: Role inheritance and computed relationships
+- **Intersection Logic**: Complex permission combinations using OpenFGA's operators
+
+### Demo Structure
+```
+demos/
+├── banking-app/
+│   ├── authorization-model.json    # OpenFGA model definition
+│   ├── banking_demo.rs            # Demo implementation
+│   └── README.md                  # Documentation
+├── genai-rag/
+│   ├── authorization-model.json    # OpenFGA model definition
+│   ├── genai_rag_demo.rs          # Demo implementation
+│   └── README.md                  # Documentation
+└── README.md                      # This file
+```
+
+### Code Organization
+- **Data Models**: Structs representing entities (users, accounts, documents, etc.)
+- **Authorization Logic**: Implementation of OpenFGA authorization checks
+- **Test Scenarios**: Comprehensive test coverage for all authorization scenarios
+- **Helper Methods**: Utility functions for common authorization patterns
+
+## Running the Demos
+
+### Prerequisites
+```bash
+# Ensure you have Rust installed
+rustc --version
+
+# Navigate to the project root
+cd /path/to/authcore-openfga-operator
+```
+
+### Build and Test
+```bash
+# Build the project with demos
+cargo build
+
+# Run all tests including demo tests
+cargo test
+
+# Run only banking demo tests
+cargo test banking_demo
+
+# Run only GenAI RAG demo tests
+cargo test genai_rag_demo
+
+# Run with verbose output
+cargo test -- --nocapture
+```
+
+### Integration with OpenFGA
+
+The authorization models can be imported into a running OpenFGA server:
+
+```bash
+# Start OpenFGA server (example using Docker)
+docker run -p 8080:8080 openfga/openfga run
+
+# Import banking model
+curl -X POST http://localhost:8080/stores \
+  -H "Content-Type: application/json" \
+  -d @demos/banking-app/authorization-model.json
+
+# Import GenAI model
+curl -X POST http://localhost:8080/stores \
+  -H "Content-Type: application/json" \
+  -d @demos/genai-rag/authorization-model.json
+```
+
+## Key Authorization Patterns Demonstrated
+
+### 1. Role-Based Access Control (RBAC)
+Both demos implement hierarchical RBAC where higher-level roles inherit permissions from lower-level roles.
+
+### 2. Multi-ownership
+The banking demo shows how to handle joint accounts and shared resources with multiple owners.
+
+### 3. Contextual Permissions
+Permissions that depend on the context (e.g., branch employees can only access accounts in their branch).
+
+### 4. Content Filtering
+The GenAI demo shows how to filter content in responses based on user permissions.
+
+### 5. Intersection Permissions
+Complex authorization logic where users need multiple permissions simultaneously.
+
+### 6. Hierarchical Inheritance
+Permissions that cascade down organizational hierarchies.
+
+## Testing Approach
+
+Each demo includes comprehensive tests covering:
+
+### Positive Test Cases
+- Users with proper permissions can perform authorized actions
+- Role inheritance works correctly
+- Multi-ownership scenarios function properly
+
+### Negative Test Cases  
+- Users without permissions are denied access
+- Unauthorized operations are blocked
+- Cross-organizational access is prevented
+
+### Edge Cases
+- Boundary conditions for role hierarchies
+- Complex permission intersections
+- Cascading permission changes
+
+## Production Deployment
+
+These demos serve as templates for production applications:
+
+1. **Model Deployment**: Import the authorization models into your OpenFGA server
+2. **Tuple Management**: Implement tuple creation/deletion for your entities
+3. **Authorization Checks**: Integrate the authorization logic into your application
+4. **Performance Optimization**: Add caching and bulk operations as needed
+
+## Documentation
+
+Each demo includes detailed documentation covering:
+- Authorization model explanation
+- Entity relationships
+- Permission matrices
+- Usage examples
+- Test scenarios
+
+See the individual README files in each demo directory for detailed information.
+
+## Contributing
+
+When adding new demo applications:
+
+1. Follow the established directory structure
+2. Include comprehensive OpenFGA authorization model
+3. Implement realistic test scenarios
+4. Add thorough documentation
+5. Ensure all tests pass
+
+## References
+
+- [OpenFGA Documentation](https://openfga.dev/docs)
+- [OpenFGA Authorization Models](https://openfga.dev/docs/modeling/getting-started)
+- [Relationship-Based Access Control](https://openfga.dev/docs/concepts#what-is-relationship-based-access-control-rebac)
+=======
 This directory contains demonstration applications showcasing the capabilities of the OpenFGA Operator for different use cases.
 
 ## Available Demos
@@ -79,4 +270,4 @@ After completing these demos, you will understand:
 For questions or issues with these demos:
 - Check the individual demo README files
 - Review the main [OpenFGA Operator documentation](../README.md)
-- Open an issue in the repository
+- Open an issue in the repository
@@ -1,5 +1,7 @@
 # Banking Application Demo
 
+This demo showcases how to implement fine-grained authorization for a banking application using OpenFGA. The demo includes a comprehensive authorization model that supports realistic banking scenarios with RBAC (Role-Based Access Control), multi-ownership, and transaction controls.
+
 A comprehensive banking microservice that demonstrates fine-grained authorization using OpenFGA. This demo showcases real-world banking scenarios including account management, transactions, and loan processing with role-based access control.
 
 ## 🏗️ Architecture
@@ -368,4 +370,106 @@ This demo is licensed under the Apache 2.0 License - see the [LICENSE](../../LIC
 For issues and questions:
 - Check the [main documentation](../../README.md)
 - Open an issue in the repository
-- Join the OpenFGA community discussions
+- Join the OpenFGA community discussions
+
+## Authorization Model
+
+The OpenFGA authorization model defines the following entity types and relationships:
+
+### Entity Types
+
+1. **Bank**
+   - Relations: `admin`, `manager`, `employee`
+   - Supports hierarchical roles where managers inherit employee permissions
+
+2. **Branch** 
+   - Relations: `parent_bank`, `manager`, `teller`, `employee`, `admin`
+   - Branch employees can perform operations on accounts in their branch
+   - Inherits admin permissions from parent bank
+
+3. **Account**
+   - Relations: `parent_branch`, `owner`, `co_owner`, `authorized_user`, `can_view`, `can_deposit`, `can_withdraw`, `can_transfer`
+   - Supports multi-ownership with joint accounts through co-owners
+   - Different permission levels for different operations
+
+4. **Loan**
+   - Relations: `parent_branch`, `borrower`, `co_borrower`, `loan_officer`, `can_view`, `can_approve`, `can_modify`
+   - Supports loan processing workflows with proper approval chains
+
+5. **Transaction**
+   - Relations: `source_account`, `target_account`, `initiated_by`, `can_view`, `can_reverse`
+   - Transaction visibility based on account relationships
+   - Manager-level permissions for transaction reversals
+
+### Key Features
+
+- **RBAC Implementation**: Clear role hierarchy with customer, teller, manager, loan officer, and admin roles
+- **Multi-ownership Support**: Joint accounts with multiple owners and co-owners
+- **Fine-grained Permissions**: Different permission levels for viewing, depositing, withdrawing, and transferring
+- **Branch-based Access Control**: Employees can only access accounts in their branch
+- **Loan Processing Workflow**: Proper authorization chains for loan approval and modification
+- **Transaction Security**: Controlled access to transaction data and reversal capabilities
+
+## Demo Scenarios
+
+The demo includes the following test scenarios:
+
+### Account Access Control
+- Account owners can view, deposit, withdraw, and transfer
+- Co-owners have the same permissions as owners
+- Branch tellers can view and process deposits
+- Branch managers can view and process withdrawals
+- Unauthorized users are denied access
+
+### Loan Processing
+- Borrowers and co-borrowers can view their loans
+- Loan officers can view, approve, and modify loans
+- Branch managers can view and approve loans
+- Unauthorized users cannot access loan information
+
+### Transaction Control
+- Transaction visibility is based on account ownership
+- Only branch managers can reverse transactions
+- Proper audit trails for all operations
+
+## Usage
+
+```rust
+use crate::demos::banking_app::BankingDemo;
+
+// Create demo instance
+let demo = BankingDemo::new();
+
+// Check authorization
+let request = AuthorizationRequest {
+    user: "user:alice".to_string(),
+    relation: "can_view".to_string(),
+    object: "account:acc1".to_string(),
+};
+let response = demo.check_authorization(&request);
+assert!(response.allowed);
+
+// Get OpenFGA tuples
+let tuples = demo.get_tuples();
+println!("Total tuples: {}", tuples.len());
+```
+
+## Testing
+
+Run the banking demo tests:
+
+```bash
+cargo test banking_demo
+```
+
+The tests cover:
+- Basic authorization scenarios
+- RBAC enforcement
+- Multi-ownership support
+- Transaction controls
+- Loan processing workflows
+- Edge cases and unauthorized access attempts
+
+## OpenFGA Model File
+
+The complete OpenFGA authorization model is available in `authorization-model.json` and can be imported into an OpenFGA server for production use.