KB permissions
Hybrid stack
| Layer | Provider | What it answers |
|---|---|---|
| RBAC | ACL.roles_* + Membership rows | "Is the user an editor of this corpus?" |
| ABAC | IPolicyEngine (default: OPA; opt-in: Cedar) | "Does the user's region == EU and the resource's classification ≤ user's clearance?" |
| ReBAC | IACLEvaluator (default: Native; opt-in: OpenFGA / SpiceDB / Permify) | "Does the user inherit access via a chain of group / org / dataset / subscription relations?" |
AccessBitmap
DefaultPermissionResolver.materialize_bitmap produces a per-request
AccessBitmap:
class AccessBitmap(BaseModel):
visible_node_ids: set[UUID]
visible_edge_ids: set[UUID]
excluded_node_ids: set[UUID]
field_redactions: dict[UUID, set[str]]
residual_cypher: Optional[str] # OPA partial-eval residual
residual_sql: Optional[str]
computed_at_iso: Optional[str]
cache_key: Optional[str]
The bitmap is built by:
- Calling
IACLEvaluator.list_objects(principal_id, action, "node", tenant_id)→ set of visible node UUIDs (OpenFGAlist-objects). - Calling
IPolicyEngine.partial_evaluate(action, "node", ctx)→ residual Cypher / SQL fragment (OPAcompile). - Caching the result for 60s by
(tenant, principal, action, anchor_hash).
Projection into store-native filters
| Store | How the bitmap shows up |
|---|---|
| Graph (Cypher) | WHERE n.id IN $visible_node_ids AND r.id IN $visible_edge_ids AND (${residual_cypher}) |
| Vector (payload filter) | {"tenant_id": {"$eq": "..."}, "id": {"$in": [...]}} |
| Relational (RLS) | Session GUCs app.current_tenant_id + app.current_workspace_id + app.visible_node_ids |
OpenFGA authorization model
The bundled
authorization_model.fga
defines the canonical types:
type tenant
relations
define member: [user]
define admin: [user]
define parent: [tenant]
type corpus
relations
define owner_tenant: [tenant]
define editor: [user] or admin from owner_tenant
define viewer: [user] or editor or member from owner_tenant
define subscriber: [tenant]
type dataset
relations
define parent_corpus: [corpus]
define editor: editor from parent_corpus
define viewer: viewer from parent_corpus or subscriber from parent_corpus
define subscriber: [tenant]
OPA policy bundle
The bundled
authz.rego
implements default-deny with role-based + region-lock + classification
gates. Bundles are signed and served from
s3://alphaswarm-kb-opa-bundles/ (or the Azure / GCP equivalents) and
pulled by OPA every 30-120s.
Cedar (optional)
Cedar is the optional IPolicyEngine adapter for tenants requiring
formal verification. Activate by setting
KBCorpusSpec.acl.policy_alias = "cedar".