Skip to content

Relationship-Based Access Control

Configure ReBAC with Zanzibar-style relation definitions and relationship tuples.

EndpointMethodDescription
/api/admin/rebac/relation-definitionsGET/POSTList or create relation definitions
/api/admin/rebac/relation-definitions/:idGET/PUT/DELETEManage a relation definition
/api/admin/rebac/tuplesGET/POSTList or create relationship tuples
/api/admin/rebac/tuples/:idDELETEDelete a relationship tuple
/api/admin/rebac/checkPOSTSimulate a permission check for debugging
/api/admin/rebac/object-typesGETList object types used by definitions
{
"relationship_type": "viewer",
"from_type": "subject",
"from_id": "user-123",
"to_type": "document",
"to_id": "doc-456",
"permission_level": "read"
}

The policy worker also exposes service-to-service ReBAC APIs under /api/rebac/*, including check, batch-check, list-objects, list-users, write, and tuple delete operations.