Account Operator¶
The Account Operator manages authorization tuples in OpenFGA for account resources. It writes and deletes tuples only - it does not create OpenFGA stores or authorization models.
Overview¶
When a new account is created, the Account Operator:
- Assigns the creator to the account's owner role
- Grants the owner role owner permissions on the account
- Creates a parent relation linking the account to its parent (except for org accounts)
Configuration¶
| Field | Description | Example |
|---|---|---|
spec.fga.store.id |
OpenFGA store identifier | <store-id> |
spec.account.name |
Account name | demo |
spec.account.originClusterId |
Origin cluster ID | <account-origin-cluster-id> |
spec.account.generatedClusterId |
Generated cluster ID | <account-generated-cluster-id> |
spec.parentAccount.name |
Parent account name | acme |
spec.parentAccount.originClusterId |
Parent origin cluster ID | <parent-origin-cluster-id> |
spec.creator |
Creator email | me@example.com |
Defaults¶
- Object type:
core_platform-mesh_io_account - Parent relation:
parent - Creator relation:
owner
Standard Account Tuples¶
Written on Create¶
| # | User | Relation | Object |
|---|---|---|---|
| 1 | core_platform-mesh_io_account:<parent-origin-cluster-id>/acme |
parent |
core_platform-mesh_io_account:<account-origin-cluster-id>/demo |
| 2 | user:me@example.com |
assignee |
role:core_platform-mesh_io_account/<account-origin-cluster-id>/demo/owner |
| 3 | role:core_platform-mesh_io_account/<account-origin-cluster-id>/demo/owner#assignee |
owner |
core_platform-mesh_io_account:<account-origin-cluster-id>/demo |
graph LR
A["user:me@example.com"] -->|assignee| B["role:.../<account-origin-cluster-id>/demo/owner"]
B -->|owner| C["core_platform-mesh_io_account:<account-origin-cluster-id>/demo"]
D["core_platform-mesh_io_account:<parent-origin-cluster-id>/acme"] -->|parent| C
Hold "Alt" / "Option" to enable pan & zoom
Deleted on Removal¶
During deletion, the operator uses originClusterId for the user and generatedClusterId for the object.
| # | User | Relation | Object |
|---|---|---|---|
| 1 | core_platform-mesh_io_account:<account-origin-cluster-id>/demo |
parent |
core_platform-mesh_io_account:<account-generated-cluster-id>/demo |
| 2 | user:me@example.com |
assignee |
role:core_platform-mesh_io_account/<account-generated-cluster-id>/demo/owner |
| 3 | role:core_platform-mesh_io_account/<account-generated-cluster-id>/demo/owner#assignee |
owner |
core_platform-mesh_io_account:<account-generated-cluster-id>/demo |
Organization Account Tuples¶
For organization accounts (type = org), the parent tuple is skipped. Only creator-related tuples are written and deleted.
Org Written on Create¶
| # | User | Relation | Object |
|---|---|---|---|
| 1 | user:me@example.com |
assignee |
role:core_platform-mesh_io_account/<org-origin-cluster-id>/<org-name>/owner |
| 2 | role:core_platform-mesh_io_account/<org-origin-cluster-id>/<org-name>/owner#assignee |
owner |
core_platform-mesh_io_account:<org-origin-cluster-id>/<org-name> |
graph LR
A["user:me@example.com"] -->|assignee| B["role:.../<org-origin-cluster-id>/<org-name>/owner"]
B -->|owner| C["core_platform-mesh_io_account:<org-origin-cluster-id>/<org-name>"]
Hold "Alt" / "Option" to enable pan & zoom
Org Deleted on Removal¶
| # | User | Relation | Object |
|---|---|---|---|
| 1 | user:me@example.com |
assignee |
role:core_platform-mesh_io_account/<org-generated-cluster-id>/<org-name>/owner |
| 2 | role:core_platform-mesh_io_account/<org-generated-cluster-id>/<org-name>/owner#assignee |
owner |
core_platform-mesh_io_account:<org-generated-cluster-id>/<org-name> |