Authorization and Permissions
This document covers the extensive and robust permissioning capabilities available within the Taloflow platform for customized access and control schemes.
Last updated
This document covers the extensive and robust permissioning capabilities available within the Taloflow platform for customized access and control schemes.
Last updated
Taloflow provides robust permission and security features, offering fine-grained permissions for implementing Role-Based Access Control (RBAC) and customized access and control schemes. The permissions and security components include user authentication through Auth0, centralized authentication verification via an Open Policy Agent (OPA) server, and separate authorization for every API request through OPA.
The system enforces the process using encrypted JWT tokens and a common library across the Taloflow codebase. External requests are first provided with an Auth0 token, which the system verifies. Then, an internal token with revised scopes is provided for the requested action. Services within the system use this internal token and their service identity to verify that the request is within the scope of permissions.
Taloflow's permission system is highly flexible, allowing for a wide range of permissioning structures, including placing users into groups, attaching permissions at both group and user levels, and restricting access at the resource level. Additionally, the system enables the implementation of data filtering when necessary and requires proper authorization tokens of the service and the user for any request authentication.
The Taloflow permission system consists of the following components:
Policy Database: Policies are attached to principals and resources through their IDs. A policy contains:
An action (allow or deny)
A list of principals
A list of resources
A set of conditions
Rego Rules: Rules written in Rego enforce the policies.
OPA Server Implementation: The OPA server provides a fast and efficient way to analyze the rules database. It communicates with the rest of the system to obtain information about resources and principals.
Security Libraries: Libraries enforce security mechanisms at the server level, generally as transparent middleware to the developer, reducing the chance of developer error.
User Data Security: User information is safely stored in Auth0. Taloflow does not use passwords, email addresses, or other personal information in the permissioning process.
Mandatory Authentication: All user requests on every server and to every API must be accompanied by a verifiable, encrypted token. While not technically "zero trust," the assumption is that no communication, even behind the firewall, can happen without some trust element in the request.
Centralized Authentication and Authorization: All decisions are centralized into a set of OPA servers. This ensures consistent permissions and minimizes timing differences and developer errors. Scopes are consistently granted, and the risk of a centralized failure is considered worth the benefit of consistent decision-making.
Flexible Rego Rules: Rego offers the ability to create flexible rules that can be easily updated. Centralized permissioning means services do not need to implement specific rules, as actions are impacted directly in OPA with ALLOW or DENY returns. This enables responsiveness to individual security needs.
Granular Authorization: Requests can be authorized at almost any level in the system. While most authorization currently happens at the API level, method-level or even within-method-level authorization can be easily implemented. This allows for restrictions on specific data entries or other low-level information if necessary.
Taloflow's permissions system is very flexible and allows for a wide range of permissioning structures:
User Groups: Users can be placed into groups. In addition to Taloflow's standard role groups, custom groups can be established. Permissions are attached to both groups and users, allowing limitations or grants at both levels. Taloflow offers Admin and Member role groups for workspaces and Owner, Editor, and Viewer roles for evaluations, supporting a traditional RBAC scheme.
Fine-grained Permissions: Every API call in the system is authorized through OPA, allowing for data filtering when needed.
Security Against Bad Actors: OPA authenticates any request it receives to verify that the sender is authorized. For any bad actor to succeed, the service and the user must have a proper authorization token.
Taloflow assumes that all requests are DENIED unless a rule allows them.
Authentication: Taloflow first authenticates the principal, typically a registered user authenticated by Auth0. The system can also work with anonymous users and temporary credentials.
Policy Processing: Taloflow processes the requested information to determine applicable policies and boundaries. The result is a list of possible policies based on the principals and resources.
Evaluating Policies: Taloflow evaluates all policies. The order of evaluation does not impact the result, but all boundary policies are evaluated first for efficiency. It is denied if there is no ALLOW at some level for the request. All deny policies are then evaluated. If any policy denies the request, it is denied. Finally, the system looks for an ALLOW policy that grants access and accumulates the scopes in the "allow" policies.
Determining Request Outcome: Taloflow processes the policies against the request context to determine whether to allow or deny the request.
Taloflow gathers the following information into a request context:
Actions (Operations): The actions or operations the principal wants to perform.
Resources: The Taloflow resource object on which the actions are performed.
Principal: The user, role, federated user, or application sending the request, including associated policies.
Environment Data: Information attached to the request, such as IP address, user agent, SSL status, GraphQL request details, or time of day.
Resource Data: Data related to the requested resource, such as evaluation ID or workspace ID.
Taloflow evaluates policies based on the types that apply to the request context:
Identity-Based Policies: Attached to users, groups, or roles and grant permissions. Taloflow checks these policies for at least one Allow and no Denies.
Resource-Based Policies: Grant permissions to the principal specified in the policy. Taloflow checks resource- and identity-based policies for at least one "allow" and no "denied."
Permissions Boundaries: Set the maximum permissions an identity-based policy can grant. Both identity-based policies and permissions boundaries must allow the action.
Taloflow Organizations Control Policies (OCPs): These policies specify the maximum permissions for an organization or organizational unit (OU). OCPs, identity-based policies, and resource-based policies must all allow the action.
An explicit denial in any of these policies overrides the allow.
Identity-based and resource-based policies grant permissions to the identities or resources to which they are attached. When an entity requests access to a resource within the same account, Taloflow evaluates all permissions granted by both policy types. The resulting permissions are the total of both types. An explicit denial in either policy overrides the allow.
When evaluating identity-based policies and permissions boundaries for a user, the resulting permissions intersect with both categories. Adding a permissions boundary might reduce user actions while removing it might increase them. An explicit denial in either policy overrides the allow.
When a user belongs to an account that is a member of an organization, the resulting permissions are the intersection of the user's policies and the SCP. Both the identity-based policy and the SCP must allow the action. An explicit denial in either policy overrides the allow.
Taloflow evaluates all applicable policies to decide whether to allow or deny a request:
By default, all requests are implicitly denied, except for those made by the Taloflow account root user, who has full access.
An explicit allow in an identity-based or resource-based policy overrides this default.
A permissions boundary, organization's OCP, or session policy might override the allow with an implicit deny.
An explicit denial in any policy overrides any allows.
The system has many permissions set up. Here are examples of a few. More permissions are added as the system evolves.
Permission
Description
evaluation.view
View evaluations
evaluation.create
Create evaluations
evaluation.edit
Edit evaluations
evaluation.delete
Delete evaluations
evaluation.archive
Archive evaluations
evaluation.unarchive
Unarchive evaluations
evaluation.export
Export evaluations
evaluation.rename
Rename evaluations
evaluation.move
Move evaluations
evaluation.invite
Invite users to evaluations
evaluation.uninvite
Uninvite users from evaluations
Permission
Description
workspace.view
View workspaces
workspace.create
Create workspaces
workspace.edit
Edit workspaces
workspace.delete
Delete workspaces
workspace.rename
Rename workspaces
workspace.move
Move workspaces
workspace.invite
Invite users to workspaces
