Skill Being Reviewed
Skill name: rbac-design
Skill path: skills/identity/rbac-design/
False Positive Analysis
Benign authorization model that can be over-reported as role explosion if relationship-based access is not recognized:
document:roadmap#viewer@user:alice
document:roadmap#editor@group:product#member
folder:planning#viewer@organization:acme#member
document:roadmap#parent@folder:planning
Why this is a false positive risk:
The skill correctly warns against role explosion and recommends ABAC for tenant, owner, and contextual decisions. But many collaborative SaaS and data-sharing systems do not fit cleanly into RBAC roles or ABAC attribute comparisons. They use relationship-based authorization: users can access resources because of direct sharing, group membership, parent-folder inheritance, organization membership, resource ownership, or delegated administration. If reviewers only see many per-resource grants, they may call it role explosion instead of recognizing a deliberate ReBAC model that needs different evidence.
Coverage Gaps
Missed variant 1: Shared-resource authorization is modeled as roles or attributes, but the real control is graph relationships
User alice can view document:roadmap if:
alice is directly viewer on document:roadmap, OR
alice is member of a group that is editor on document:roadmap, OR
document:roadmap is inside a folder alice can view, OR
alice is an organization admin for the document's organization.
Why it should be caught:
This is not merely RBAC or ABAC. It is a relationship graph with inheritance and userset rewrites. The skill should ask reviewers whether a target system needs ReBAC evidence: object types, relation definitions, allowed subject types, inheritance rules, tuple sources, consistency model, and delete/revocation propagation.
Missed variant 2: Tenant isolation is bypassed by parent or group relationships
folder:tenant-a-root#viewer@group:contractors#member
group:contractors#member@user:bob
document:tenant-b-plan#parent@folder:tenant-a-root
Why it should be caught:
Tenant isolation can fail when relationship tuples cross tenant boundaries or when a parent relation grants access to children in another tenant. The current ABAC recommendation subject.tenant_id == resource.tenant_id is useful, but a ReBAC system also needs tuple-write validation, allowed subject/object types, tenant-scoped namespaces, and invariant tests that prove relationships cannot bridge isolation boundaries.
Missed variant 3: Contextual relationships outlive the source-of-truth change
JWT claim: groups = ["finance-approvers"]
Contextual tuple: invoice:123#approver@group:finance-approvers#member
HR event: user removed from finance-approvers
Token expiry: 8 hours later
Access continues until token expiry
Why it should be caught:
Relationship engines can combine stored tuples with contextual tuples, token claims, caveats, or request-time attributes. If contextual relationship data is stale, authorization can continue after group removal, tenant transfer, or risk-state changes. Reviews should record contextual tuple source, TTL, revocation behavior, precedence over stored tuples, and cache invalidation rules.
Missed variant 4: Authorization schema changes are not versioned or tested against existing tuples
Old schema:
document.viewer = user | group#member
New schema:
document.viewer = user | folder#viewer
Existing tuple:
document:roadmap#viewer@group:product#member
Migration result:
group-based sharing silently stops working, or fallback code grants broader access.
Why it should be caught:
Relationship-based authorization has both policy/schema and tuple data. Schema migrations can orphan tuples, change inheritance semantics, or create fallback behavior. The skill should require schema versioning, tuple migration plans, backward-compatibility tests, and authorization decision replay before promoting a new model.
Edge Cases
- A user can have multiple relationship paths to the same object; evidence should show which path authorized the decision.
- Deny, caveat, or condition semantics vary between authorization engines; reviewers should not assume all ReBAC systems resolve conflicts the same way.
- Cached authorization checks can be correct under bounded staleness for read-heavy systems, but high-risk revocations need freshness or explicit invalidation evidence.
- Relationship tuples may be written by application services, admin tools, imports, sync jobs, or user sharing flows; each tuple writer needs validation and audit logging.
- Public or type-bound access such as
user:* / <type>:* should be treated as a high-risk relationship, not just a broad role.
Remediation Quality
Comparison to Other Tools
| Tool / Framework |
Catches this? |
Notes |
| NIST RBAC |
Partial |
Useful for roles, hierarchies, and constraints, but does not model object-to-object relationship inheritance well. |
| NIST SP 800-162 ABAC |
Partial |
Includes attributes and policy architecture; relationship-driven sharing still needs graph/tuple evidence. |
| Google Zanzibar model |
Yes conceptually |
Provides a relationship graph model for global authorization across shared resources. |
| OpenFGA |
Partial |
Implements relationship tuples, models, contextual tuples, and conditions; reviewers must still assess tenant invariants and tuple writer controls. |
| Cedar |
Partial |
Supports entity hierarchies and policy evaluation, but schema, entity hierarchy, and context freshness still need review evidence. |
Overall Assessment
Strengths:
- Strong RBAC0-RBAC3 structure with hierarchy, constraints, permission boundaries, ABAC policy architecture, and role mining.
- Good guidance on role explosion, SoD, centralized PDP, and authoritative ABAC attributes.
- Useful warning that hybrid RBAC/ABAC is common and that role mining needs business validation.
Needs improvement:
- Modern collaborative systems often need ReBAC, not only RBAC plus ABAC.
- The skill lacks relationship schema evidence: object types, relations, allowed subject types, inheritance, caveats/conditions, and conflict semantics.
- The skill does not require tuple writer validation, tenant-boundary invariant tests, relationship revocation freshness, or schema migration/replay tests.
- Contextual tuples and token-derived relationships can become stale and should be assessed separately from stored relationship tuples.
Priority recommendations:
- Add a
When to use ReBAC decision branch for shared resources, nested folders/projects, organization membership, delegated admin, group membership, and user-to-resource relationships.
- Add a
Relationship Authorization Evidence table with object type, relation, allowed subject types, inheritance rule, tuple source, tuple writer, tenant boundary, caveat/condition, cache TTL, revocation path, decision log, and evidence confidence.
- Add invariant tests for tenant isolation, public/type-bound relationships, parent-child inheritance, group membership revocation, and multi-path authorization.
- Add schema/version migration guidance: model versioning, tuple migration, compatibility checks, decision replay, rollback plan, and orphaned-tuple detection.
Sources Checked
Bounty Info
Skill Being Reviewed
Skill name:
rbac-designSkill path:
skills/identity/rbac-design/False Positive Analysis
Benign authorization model that can be over-reported as role explosion if relationship-based access is not recognized:
Why this is a false positive risk:
The skill correctly warns against role explosion and recommends ABAC for tenant, owner, and contextual decisions. But many collaborative SaaS and data-sharing systems do not fit cleanly into RBAC roles or ABAC attribute comparisons. They use relationship-based authorization: users can access resources because of direct sharing, group membership, parent-folder inheritance, organization membership, resource ownership, or delegated administration. If reviewers only see many per-resource grants, they may call it role explosion instead of recognizing a deliberate ReBAC model that needs different evidence.
Coverage Gaps
Missed variant 1: Shared-resource authorization is modeled as roles or attributes, but the real control is graph relationships
Why it should be caught:
This is not merely RBAC or ABAC. It is a relationship graph with inheritance and userset rewrites. The skill should ask reviewers whether a target system needs ReBAC evidence: object types, relation definitions, allowed subject types, inheritance rules, tuple sources, consistency model, and delete/revocation propagation.
Missed variant 2: Tenant isolation is bypassed by parent or group relationships
Why it should be caught:
Tenant isolation can fail when relationship tuples cross tenant boundaries or when a parent relation grants access to children in another tenant. The current ABAC recommendation
subject.tenant_id == resource.tenant_idis useful, but a ReBAC system also needs tuple-write validation, allowed subject/object types, tenant-scoped namespaces, and invariant tests that prove relationships cannot bridge isolation boundaries.Missed variant 3: Contextual relationships outlive the source-of-truth change
Why it should be caught:
Relationship engines can combine stored tuples with contextual tuples, token claims, caveats, or request-time attributes. If contextual relationship data is stale, authorization can continue after group removal, tenant transfer, or risk-state changes. Reviews should record contextual tuple source, TTL, revocation behavior, precedence over stored tuples, and cache invalidation rules.
Missed variant 4: Authorization schema changes are not versioned or tested against existing tuples
Why it should be caught:
Relationship-based authorization has both policy/schema and tuple data. Schema migrations can orphan tuples, change inheritance semantics, or create fallback behavior. The skill should require schema versioning, tuple migration plans, backward-compatibility tests, and authorization decision replay before promoting a new model.
Edge Cases
user:*/<type>:*should be treated as a high-risk relationship, not just a broad role.Remediation Quality
Comparison to Other Tools
Overall Assessment
Strengths:
Needs improvement:
Priority recommendations:
When to use ReBACdecision branch for shared resources, nested folders/projects, organization membership, delegated admin, group membership, and user-to-resource relationships.Relationship Authorization Evidencetable withobject type,relation,allowed subject types,inheritance rule,tuple source,tuple writer,tenant boundary,caveat/condition,cache TTL,revocation path,decision log, andevidence confidence.Sources Checked
Bounty Info