Skip to content

Relationship Based Access Control (ReBAC)#

The ReBAC model of controlling access is very powerful and scales very well. Instead of defining and attaching attributes to individual actors within a system (such as a user), or instead of defining roles that you assign to people, you instead define what relationships allow what access to the resource in question.

This can be a bit of a head spinning concept, but imagine it like a massive graph of interconnected nodes. Every node on the graph is connected via some relationship and is so many "degress" away on that graph from or towards the resource or object. Whether you get access to the resource depends on whether or not you're on the right part of the graph (you have the relationship.)

Like on Facebook, where you can share posts and images with groups of people (RBAC), or you can share them with "friends" (a relationship), which is based on a social graph of connections (which defines what a friend is, exactly.)

It's like RBAC, but in reverse, and it scales to near infinite numbers.