Authorization

Mesachat uses a dual authorization engine combining Relationship-Based Access Control (ReBAC) and Attribute-Based Access Control (ABAC).

Authorization Models

ReBAC (OpenFGA)

Relationship-based access control using OpenFGA, based on Google's Zanzibar model:

User → member_of → Team → part_of → Tenant → owns → Bot

Use cases:

"Can this user access this bot?"
"Can this team use this agent?"
"Which bots does this tenant own?"

ABAC (Cerbos)

Attribute-based access control using Cerbos for policy-driven decisions:

Use cases:

"Can this user invoke agent X during business hours?"
"Can this bot use the web scraping tool in this region?"
"Does this request meet the rate limit policy?"

Channel Authorization

Control which channels (Telegram chats, email addresses) can interact with your bots:

Go to Channels → Authorized Channels
Add channel IDs with tenant scope
Assign bots to channels via Authorization Groups

Authorization Groups

Groups allow you to manage multiple channels with shared bot assignments:

Auth Group: "Customer Support"
├── Telegram Chat: -1001234567890
├── Telegram Chat: -1009876543210
└── Assigned Bots: [Support Bot, FAQ Bot]

Permission Hierarchy

Tenant Admin
├── Can manage all tenant resources
├── Can create/delete bots
├── Can manage API keys
└── Can authorize channels

Bot Admin
├── Can configure assigned bots
├── Can manage integrations
└── Can view bot metrics

Channel User
├── Can send messages
├── Can interact with assigned agents
└── Cannot modify configuration

Authorization Models​

ReBAC (OpenFGA)​

ABAC (Cerbos)​

Channel Authorization​

Authorization Groups​

Permission Hierarchy​