Relationships (ReBAC)
Zanzibar-style relationship tuples with graph traversal for fine-grained access control.
Relationship-based access control (ReBAC) uses a tuple store to model who has what relationship to which resource. PlatformXe implements a Zanzibar-style graph that supports indirect relationships through traversal.
Relationship tuples
Every relationship is stored as a tuple:
subject → relation → object
user:steve → owner → folder:design
folder:design → parent → document:logo
This means: Steve owns the design folder, which is the parent of document:logo. Through graph traversal, Steve has indirect access to document:logo.
Graph traversal
When a permission check includes relationship evaluation, the engine traverses the graph from the subject toward the object, following relationship edges.
- Max depth: 5 hops
- Cycle detection: the engine tracks visited nodes and stops if a cycle is detected
- Evaluation: if a valid path exists from subject to object, access is granted
Example traversal
user:steve → member → team:engineering
team:engineering → owner → project:api
project:api → parent → document:spec
A check for whether user:steve can access document:spec traverses: steve is a member of engineering, which owns the api project, which is the parent of spec. Access granted in 3 hops.
Writing relationships
Relationships are written in batches. Each operation is either WRITE (create) or DELETE (remove).
curl -X POST https://api.platformxe.com/api/v1/permissions/relationships \
-H "Content-Type: application/json" \
-H "x-api-key: pxk_live_your_api_key_here" \
-d '{
"operations": [
{
"operation": "WRITE",
"subject": "user:steve",
"relation": "editor",
"object": "document:quarterly-report"
},
{
"operation": "WRITE",
"subject": "team:finance",
"relation": "viewer",
"object": "folder:reports"
}
]
}'
await px.permissions.writeRelationships({
operations: [
{
operation: 'WRITE',
subject: 'user:steve',
relation: 'editor',
object: 'document:quarterly-report',
},
{
operation: 'WRITE',
subject: 'team:finance',
relation: 'viewer',
object: 'folder:reports',
},
],
});
Common patterns
| Pattern | Subject | Relation | Object |
|---|---|---|---|
| Group membership | user:alice | member | team:design |
| Resource ownership | user:bob | owner | project:website |
| Folder hierarchy | folder:root | parent | folder:documents |
| Org structure | team:eng | part_of | org:acme |
Keep relationship chains shallow. The 5-hop depth limit is intentional — deeply nested graphs increase latency and are harder to reason about. Prefer direct relationships where possible.