Entitlements

In applications with differentiated subscription tiers or paid features users' permissions are determined by the features they have paid for.

Implement the logic

The core part of the entitlements logic is to conditionally grant a user permission based on a combination of their role and attributes of the organization (like the subscription tier they are on).

For example, we can grant users permission to create repositories for an organization if they have the "member" role for that organization and the organization has quota remaining for creating repositories.


actor User { }
resource Organization {
  roles = ["admin", "member"];
  permissions = ["repository.create"];
  "member" if "admin";
}
resource Plan {
  roles = ["subscriber"];
  relations = { subscribed_organization: Organization };
  "subscriber" if role on "subscribed_organization";
}
resource Feature {
  relations = { plan: Plan };
}
has_permission(user: User, "repository.create", org: Organization) if
  has_role(user, "member", org) and
  has_quota_remaining(org, Feature{"repository"});
has_quota_remaining(org: Organization, feature: Feature) if
  quota matches Integer and
  has_quota(org, feature, quota) and
  used matches Integer and
  quota_used(org, feature, used) and
  used < quota;
has_quota(org: Organization, feature: Feature, quota: Integer) if
  plan matches Plan and
  has_relation(plan, "subscribed", org) and
  plan_quota(plan, feature, quota);

Test the logic

To test this we have:

A few organizations with different plans and quotas used.
Users belonging to each of those organizations.
Tests to check which users can still create repositories.


declare plan_quota(Plan, Feature, Integer);
declare quota_used(Organization, Feature, Integer);
plan_quota(Plan{"pro"}, Feature{"repository"}, 10);
plan_quota(Plan{"basic"}, Feature{"repository"}, 0);
test "members can create repositories if they have quota" {
  setup {
    quota_used(Organization{"apple"}, Feature{"repository"}, 5);
    quota_used(Organization{"netflix"}, Feature{"repository"}, 10);
    quota_used(Organization{"amazon"}, Feature{"repository"}, 0);
    has_relation(Plan{"pro"}, "subscribed", Organization{"apple"});
    has_relation(Plan{"pro"}, "subscribed", Organization{"netflix"});
    has_relation(Plan{"basic"}, "subscribed", Organization{"amazon"});
    has_role(User{"alice"}, "member", Organization{"apple"});
    has_role(User{"bob"}, "member", Organization{"netflix"});
    has_role(User{"charlie"}, "member", Organization{"amazon"});
  }
  assert has_quota_remaining(Organization{"apple"}, Feature{"repository"});
  # Apple has quota remaining, so all good
  assert allow(User{"alice"}, "repository.create", Organization{"apple"});
  # Netflix has used all quota
  assert_not allow(User{"bob"}, "repository.create", Organization{"netflix"});
  # Amazon doesn't have any quota left
  assert_not allow(User{"charlie"}, "repository.create", Organization{"amazon"});
}

Resource creation authorization