Relationship-Based Access Control
Configure ReBAC with Zanzibar-style relation definitions and relationship tuples.
Admin Endpoints
Section titled “Admin Endpoints”| Endpoint | Method | Description |
|---|---|---|
/api/admin/rebac/relation-definitions | GET/POST | List or create relation definitions |
/api/admin/rebac/relation-definitions/:id | GET/PUT/DELETE | Manage a relation definition |
/api/admin/rebac/tuples | GET/POST | List or create relationship tuples |
/api/admin/rebac/tuples/:id | DELETE | Delete a relationship tuple |
/api/admin/rebac/check | POST | Simulate a permission check for debugging |
/api/admin/rebac/object-types | GET | List object types used by definitions |
Relationship Tuple
Section titled “Relationship Tuple”{ "relationship_type": "viewer", "from_type": "subject", "from_id": "user-123", "to_type": "document", "to_id": "doc-456", "permission_level": "read"}Runtime Service
Section titled “Runtime Service”The policy worker also exposes service-to-service ReBAC APIs under /api/rebac/*, including check, batch-check, list-objects, list-users, write, and tuple delete operations.