Skip to content

Authorization

Authorization is a crucial component of the IAM block on the kis.ai platform. We support various popular forms of authorization, including Access Control Lists (ACLs), Role-Based Access Control (RBAC), Attribute-Based Access Control (ABAC), and Relationship-Based Access Control (ReBAC). Our platform utilizes a Policy as Code (PaC) framework, which allows policies to be written, managed, and enforced as code, enhancing flexibility and scalability. The policies can be written in a combination of YAML + any of the following languages - expr, JavaScript, Go and WASM, giving developers a wide variety of languages to express access rules easily and effectively.

We believe in the principle of co-locating policies closer to the objects they are designed to protect. This approach ensures that authorization policies are directly associated with the relevant resources, providing context-aware security measures and simplifying policy management. This method enhances security by ensuring that policies are always in close proximity to the resources they govern, reducing the risk of misconfiguration or unauthorized access.

Additionally, for organizations that already have an established authorization framework, we support delegating authorization requests to Open Policy Agent (OPA). This allows seamless integration with existing policy management systems, enabling organizations to leverage their current investments in authorization infrastructure while benefiting from the capabilities of the kis.ai platform.

Our comprehensive approach to authorization ensures that applications built on kis.ai are secure, flexible, and capable of meeting diverse access control requirements. By supporting multiple authorization models and integrating with existing policy agents, kis.ai provides a robust and adaptable solution for managing access control in modern enterprise environments.

Defining Authorization Rule

Authorization rules are defined at each block level with specifics related to the service. Below are some examples of the authorization rules for key services. Complete list of Access Rules are available in the API section of the individual block.

Data API

Data API is a key service with need for strong authorization framework with fine-grained access control at the entity level and at individual row level.

Entity-level Access Rules

Each entity in Data API maps to a table is the database. Access rules at entity-level control what operations are allowed for a particular user.

Here is an example entity taskboard, with read privileges for everyone by read and write privilege only for the users with Admin role. The user object has all the attributes of the logged in user, and is also available in the JWT token.

datastore/alm/taskboard.yaml
1
entities:
2
- name: taskboard
3
inherits: kisai.id
4
fields:
5
- name: name
6
type: string
7
- name: description
8
type: string
9
10
access:
11
actions:
12
rule: |
13
14
if (user.roles && user.roles.includes("Admin")) {
15
["create", "update", "delete", "read"]
16
} else {
17
["read", "update"]
18
}