Tuples, subjects, relations, objects
The atomic unit of authorization data is a tuple:
(subject, relation, object)- Subject — who or what is being granted the relation. A namespaced
identifier of the form
namespace:external_id. Subjects may be users, agents, services, or groups. - Relation — the verb of the grant:
owner,editor,viewer, ormember. - Object — what the subject is granted the relation on. Also a namespaced identifier.
Tuples are immutable facts. Revocation is modeled as deletion of the tuple, not as a negative tuple.
Built-in relations
Section titled “Built-in relations”Pore ships four built-in relations:
| Relation | Meaning |
|---|---|
owner | Full control, including administrative actions. |
editor | Can mutate state; cannot administer. |
viewer | Read-only access. |
member | Membership in a group subject. |
Custom relations are a non-goal for v0.
Identifier rules
Section titled “Identifier rules”Subjects and objects both use the form namespace:external_id. The external
identifier is opaque to Pore and must be:
- Non-empty.
- At most 256 bytes.
- UTF-8.
Pore does not parse or interpret the external id. Use whatever identifier your application already has — a database primary key, a ULID, an email address.