Skip to content

[REVIEW] rbac-design: add relationship authorization evidence #194

Description

@mlodygbelmondo

Skill Being Reviewed

Skill name: rbac-design
Skill path: skills/identity/rbac-design/

False Positive Analysis

Benign authorization model that can be over-reported as role explosion if relationship-based access is not recognized:

document:roadmap#viewer@user:alice
document:roadmap#editor@group:product#member
folder:planning#viewer@organization:acme#member
document:roadmap#parent@folder:planning

Why this is a false positive risk:

The skill correctly warns against role explosion and recommends ABAC for tenant, owner, and contextual decisions. But many collaborative SaaS and data-sharing systems do not fit cleanly into RBAC roles or ABAC attribute comparisons. They use relationship-based authorization: users can access resources because of direct sharing, group membership, parent-folder inheritance, organization membership, resource ownership, or delegated administration. If reviewers only see many per-resource grants, they may call it role explosion instead of recognizing a deliberate ReBAC model that needs different evidence.

Coverage Gaps

Missed variant 1: Shared-resource authorization is modeled as roles or attributes, but the real control is graph relationships

User alice can view document:roadmap if:
  alice is directly viewer on document:roadmap, OR
  alice is member of a group that is editor on document:roadmap, OR
  document:roadmap is inside a folder alice can view, OR
  alice is an organization admin for the document's organization.

Why it should be caught:

This is not merely RBAC or ABAC. It is a relationship graph with inheritance and userset rewrites. The skill should ask reviewers whether a target system needs ReBAC evidence: object types, relation definitions, allowed subject types, inheritance rules, tuple sources, consistency model, and delete/revocation propagation.

Missed variant 2: Tenant isolation is bypassed by parent or group relationships

folder:tenant-a-root#viewer@group:contractors#member
group:contractors#member@user:bob
document:tenant-b-plan#parent@folder:tenant-a-root

Why it should be caught:

Tenant isolation can fail when relationship tuples cross tenant boundaries or when a parent relation grants access to children in another tenant. The current ABAC recommendation subject.tenant_id == resource.tenant_id is useful, but a ReBAC system also needs tuple-write validation, allowed subject/object types, tenant-scoped namespaces, and invariant tests that prove relationships cannot bridge isolation boundaries.

Missed variant 3: Contextual relationships outlive the source-of-truth change

JWT claim: groups = ["finance-approvers"]
Contextual tuple: invoice:123#approver@group:finance-approvers#member
HR event: user removed from finance-approvers
Token expiry: 8 hours later
Access continues until token expiry

Why it should be caught:

Relationship engines can combine stored tuples with contextual tuples, token claims, caveats, or request-time attributes. If contextual relationship data is stale, authorization can continue after group removal, tenant transfer, or risk-state changes. Reviews should record contextual tuple source, TTL, revocation behavior, precedence over stored tuples, and cache invalidation rules.

Missed variant 4: Authorization schema changes are not versioned or tested against existing tuples

Old schema:
  document.viewer = user | group#member
New schema:
  document.viewer = user | folder#viewer
Existing tuple:
  document:roadmap#viewer@group:product#member
Migration result:
  group-based sharing silently stops working, or fallback code grants broader access.

Why it should be caught:

Relationship-based authorization has both policy/schema and tuple data. Schema migrations can orphan tuples, change inheritance semantics, or create fallback behavior. The skill should require schema versioning, tuple migration plans, backward-compatibility tests, and authorization decision replay before promoting a new model.

Edge Cases

  • A user can have multiple relationship paths to the same object; evidence should show which path authorized the decision.
  • Deny, caveat, or condition semantics vary between authorization engines; reviewers should not assume all ReBAC systems resolve conflicts the same way.
  • Cached authorization checks can be correct under bounded staleness for read-heavy systems, but high-risk revocations need freshness or explicit invalidation evidence.
  • Relationship tuples may be written by application services, admin tools, imports, sync jobs, or user sharing flows; each tuple writer needs validation and audit logging.
  • Public or type-bound access such as user:* / <type>:* should be treated as a high-risk relationship, not just a broad role.

Remediation Quality

  • Fix resolves the vulnerability
  • Fix doesn't introduce new security issues
  • Fix doesn't break functionality
  • Issues found: Add relationship-based access control assessment to the RBAC/ABAC skill. Require reviewers to identify when ReBAC is the correct model, capture relationship schema/tuple evidence, test tenant-boundary invariants, and record contextual tuple freshness, tuple writer controls, and schema migration safety.

Comparison to Other Tools

Tool / Framework Catches this? Notes
NIST RBAC Partial Useful for roles, hierarchies, and constraints, but does not model object-to-object relationship inheritance well.
NIST SP 800-162 ABAC Partial Includes attributes and policy architecture; relationship-driven sharing still needs graph/tuple evidence.
Google Zanzibar model Yes conceptually Provides a relationship graph model for global authorization across shared resources.
OpenFGA Partial Implements relationship tuples, models, contextual tuples, and conditions; reviewers must still assess tenant invariants and tuple writer controls.
Cedar Partial Supports entity hierarchies and policy evaluation, but schema, entity hierarchy, and context freshness still need review evidence.

Overall Assessment

Strengths:

  • Strong RBAC0-RBAC3 structure with hierarchy, constraints, permission boundaries, ABAC policy architecture, and role mining.
  • Good guidance on role explosion, SoD, centralized PDP, and authoritative ABAC attributes.
  • Useful warning that hybrid RBAC/ABAC is common and that role mining needs business validation.

Needs improvement:

  • Modern collaborative systems often need ReBAC, not only RBAC plus ABAC.
  • The skill lacks relationship schema evidence: object types, relations, allowed subject types, inheritance, caveats/conditions, and conflict semantics.
  • The skill does not require tuple writer validation, tenant-boundary invariant tests, relationship revocation freshness, or schema migration/replay tests.
  • Contextual tuples and token-derived relationships can become stale and should be assessed separately from stored relationship tuples.

Priority recommendations:

  1. Add a When to use ReBAC decision branch for shared resources, nested folders/projects, organization membership, delegated admin, group membership, and user-to-resource relationships.
  2. Add a Relationship Authorization Evidence table with object type, relation, allowed subject types, inheritance rule, tuple source, tuple writer, tenant boundary, caveat/condition, cache TTL, revocation path, decision log, and evidence confidence.
  3. Add invariant tests for tenant isolation, public/type-bound relationships, parent-child inheritance, group membership revocation, and multi-path authorization.
  4. Add schema/version migration guidance: model versioning, tuple migration, compatibility checks, decision replay, rollback plan, and orphaned-tuple detection.

Sources Checked

Bounty Info

  • I have read and agree to the CONTRIBUTING.md bounty terms
  • Preferred payment method: to be provided privately after acceptance

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions