Specification for Graph Permissions Model #190
Draft
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
darrelmiller
force-pushed
the
dm/permissionspec
branch
from
197254c
to
fb5ed70
Compare
specs/permissions.md
Outdated
| ```json | ||
| "paths": { | ||
| "/me/activities/{id}": { | ||
| "leastPrivilegePath": ["DelegateedWork", "DelegatedPersonal"], |
There was a problem hiding this comment.
Suggested change
| "leastPrivilegePath": ["DelegateedWork", "DelegatedPersonal"], | |
| "leastPrivilegePath": ["DelegatedWork", "DelegatedPersonal"], |
| (User.Read | User.Read.All) & Group.Read | ||
| ``` | ||
|
|
||
| ### includedProperties |
There was a problem hiding this comment.
May want to call out the behavior when includeProperties and excludeProperties are not specified. I assume includeProperties defaults to all properties if not specified, and excludeProperties defaults to no properties if not specified
| ### methods | ||
| The "methods" member is a REQUIRED array of strings that represent the HTTP methods supported by the paths in this pathSet object. | ||
|
|
||
| ### paths |
There was a problem hiding this comment.
Should provide an example of how the URI template works
| The "methods" member is a REQUIRED array of strings that represent the HTTP methods supported by the paths in this pathSet object. | ||
|
|
||
| ### paths | ||
| The "paths" member is a REQUIRED object whose keys contain a simplified URI template to identify the resources protected by this permission object. |
There was a problem hiding this comment.
How do we distinguish between Read and Read.All for paths permissions?
There was a problem hiding this comment.
Read and Read.All is a convention that Microsoft Graph has that indicates whether you can access any resource of the specified type, or just "yours". It is a scoping mechanism that is opaque to this spec. The model this spec describes currently does not have the capability to map permissions to caller identity. At this time we are only trying to map claims to a URI template that we are primarily using to verify a user has consented an application to access data. If you have any ideas how to describe user authZ as well, I am all ears.
specs/permissions.md
Outdated
| TBD | ||
|
|
||
| ### ownerEmail | ||
| The "ownerEmail" member is a REQUIRED string that provides a contact mechanism for communicating with the owner of the permission. It is important that owners of permissions are aware when new paths are added to an existing permission. |
There was a problem hiding this comment.
Suggestion: Require this to be a DL/Mail enabled security group
specs/permissions.md
Outdated
| ``` | ||
|
|
||
| ### leastPrivilegePath | ||
| The "leastPrivilegePath" member is an array of strings that identify the schemes for which this permission is the least privilege permission for accessing the path. |
There was a problem hiding this comment.
Question: can this not be derived automatically based on the set of paths and the privilegeLevel property?
There was a problem hiding this comment.
That is what I originally thought and then someone convinced me that is not the case. Let me try and remember what the reasoning was. Nope, can't remember. I will go back to the person and get them to remind me and I'll update this doc. Thanks for the call out.
Co-authored-by: Peter Richards <[email protected]>
Co-authored-by: Peter Richards <[email protected]>
|
Add a provisioningInfo object. It will contain internal information: Add Id into the main part of the spec. |
wandeg
reviewed
Sep 6, 2022
| ## Introduction | ||
| Protecting data in HTTP APIs from unauthorized access is critical. One technique to do this is by associating permissions with resources and requiring API callers to present a bearer token that can prove what permissions have been consented to the caller. This document describes a JSON based document format that can store the relationships between permission and resource. | ||
|
|
||
| In this design, the permission is the primary concept and the resources that are controlled are associated to the permission. The relationship is many-to-many and so could be modelled in an inverted way with resources being assigned the permissions. However, the permission centric view was chosen to emphasise to the author of the permission the scope of control being assigned to the permission. It is the opposite view to how this information will often be used in tooling. Tooling will need to invert the model to identify what permissions could be used to access a resource. The trade-off is the tooling writers will need to do more for the benefit of permission authors. Application users and administrators are increasingly asking for the ability to consent to more fine-grained permissions that are limited in the number of resources they can access via a single permission. This limits the ability of applications performing unintended or malicious actions on behalf of users. Models that present a resource centric view of permissions obscure the total scope of the permission and lead to the creation of permissions that create unnecessary risk. |
There was a problem hiding this comment.
Suggested change
| In this design, the permission is the primary concept and the resources that are controlled are associated to the permission. The relationship is many-to-many and so could be modelled in an inverted way with resources being assigned the permissions. However, the permission centric view was chosen to emphasise to the author of the permission the scope of control being assigned to the permission. It is the opposite view to how this information will often be used in tooling. Tooling will need to invert the model to identify what permissions could be used to access a resource. The trade-off is the tooling writers will need to do more for the benefit of permission authors. Application users and administrators are increasingly asking for the ability to consent to more fine-grained permissions that are limited in the number of resources they can access via a single permission. This limits the ability of applications performing unintended or malicious actions on behalf of users. Models that present a resource centric view of permissions obscure the total scope of the permission and lead to the creation of permissions that create unnecessary risk. | |
| In this design, the permission is the primary concept and the resources that are controlled are associated to the permission. The relationship is many-to-many and so could be modelled in an inverted way with resources being assigned the permissions. However, the permission centric view was chosen to emphasise to the author of the permission the scope of control being assigned to the permission. It is the opposite view to how this information will often be used in tooling. Tooling will need to invert the model to identify what permissions could be used to access a resource. The trade-off is the tooling writers will need to do more for the benefit of permission authors. Application users and administrators are increasingly asking for the ability to consent to more fine-grained permissions that are limited in the number of resources they can access via a single permission. This limits the ability of applications performing unintended or malicious actions on behalf of users. Models that present a resource centric view of permissions obscure the total scope of the permission and lead to the creation of permissions that create unnecessary risk. |
Minor: spacing
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. | ||
|
|
||
| ## <a name="permissionsObject"></a> Permissions JSON Object | ||
| The canonical model for a permissions document is a JSON [JSON] object. When serialized in a JSON document, that format is identified with the "application/permissions+json" media type. |
wandeg
reviewed
Sep 6, 2022
| The relationship between a permission and the resources it controls have a number of attributes including the HTTP method being granted, the type of security scheme being used, and properties of the resource being protected. Ideally these relationships would be consistent for all resources controlled by a permission. However, in reality that is not always the case. This model enables modelling the paths as sets of paths that do behave consistently and a permission can have multiple sets of paths. This approach minimizes the duplication of relationship attributes and encourages consistency in relationship design due to the overhead of managing distinct path sets. | ||
|
|
||
| ## Notational Conventions | ||
| The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. |
There was a problem hiding this comment.
Should we have urls to the RFCs provided here?
Corrected two grammatical error for ease of readability.
Update permissions.md
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.