Skip to main content

Resource Relationships

Vista allows defining permissions that are based on relationships between Resource Types.

Example: If you have 'read' access to a folder, you should also have 'read' access to all the documents in that folder.

This is done in 3 steps:

  1. Defining a relationship-type attribute on a Resource Type
  2. Creating an object-object relationship
  3. Grant permissions by referencing the relationship

Relationship-type Attributes#

Vista allows defining attributes on Resource Types - think of these as columns in a table. There are 2 types of attributes:

  • scalar (string, number, etc)
  • relationship (foreign-key that refers to another Resource Type)

This is done via the dashboard:

drawing

Creating an object-object relationship#

Once a relationship-type attribute is defined, it can be used to create object to object relationships:

    # add 'document1' to folder1.children    client.resource_types.add_relationship('folder1', 'folder', 'children', 'document1', 'document')

Granting permissions#

There are 2 ways to leverage the object to object relationship, either through a direct grant, or through a role:

Note - You can use VistaClient.ALL in place where resource_id is accepted to indicate all.

Direct Grant#

    # grant user1 read access to folder1.documents    client.users.grant_action('user1', 'read', 'folder1', 'folder', 'documents')

Role Grant#

Granting an object-object permission can be done via Roles as well, by adding the permission to the Role:

drawing

This permission will propagate to anyone assigned to that role.

Checking permissions#

Checking access to the target object is done in the same way as any other object.

granted = v.users.check('user1', 'read', 'documents', 'document1')# granted = [{#     action: 'read',#     resource_id: 'document1',#     resource_type: 'documents'# }]