Fine-grained authorization as a service via relationship- based access control within a multi-tenant system

What is claimed is: 1 . A computer-implemented method in a multi-tenant system, comprising: receiving, from an administrator of a tenant of the multi-tenant system, input indicative of an authorization model for the tenant, the authorization model indicating types of objects of the tenant and types of relations that the types of objects have with users of the tenant; outputting a first query for a first type of relationship tuple associated with a first type of user identifier; outputting a second query for a second type of relationship tuple associated with a second type of user identifier; receiving a plurality of relationship tuples indicating a plurality of relations between a plurality of users and a plurality of objects based at least in part on the first query and the second query; receiving a request to determine whether a user of the tenant is authorized to perform an action on an object; determining whether the user is authorized to perform the action on the object, the determination being made in accordance with the authorization model and a set of relationship tuples of the plurality of relationship tuples, the set of relationship tuples based at least in part on the request, wherein the set of relationship tuples comprises relationship tuples of the first type or the second type; and responding to the request in accordance with the determination. 2 . The computer-implemented method of claim 1 , wherein: the input comprises at least one natural language message indicating at least one rule of the authorization model, and the at least one rule indicates the types of objects of the tenant and the types of relations that the types of objects have with the users of the tenant. 3 . The computer-implemented method of claim 2 , further comprising: generating the authorization model from the at least one natural language message using an artificial intelligence model, wherein the authorization model is expressed with a domain-specific language (DSL). 4 . The computer-implemented method of claim 3 , further comprising: outputting an indication of the DSL to the administrator in response to receiving the at least one natural language message; and receiving, from the administrator, second input indicative of an approval of the DSL, or indicative of a modification to the DSL. 5 . The computer-implemented method of claim 4 , wherein the second input comprises a natural language message indicative of the modification to the DSL or the second input comprises the modification to the DSL. 6 . The computer-implemented method of claim 4 , further comprising: outputting a visualization of the authorization model, wherein receiving the second input is based at least in part on the visualization. 7 . The computer-implemented method of claim 2 , wherein: the at least one natural language message comprises a plurality of natural language messages indicating a plurality of rules of the authorization model, and each message of the plurality of natural language messages corresponds to a respective rule of the plurality of rules. 8 . The computer-implemented method of claim 1 , wherein receiving the input comprises: receiving the authorization model expressed with a domain-specific language (DSL). 9 . The computer-implemented method of claim 1 , wherein determining whether the user is authorized to perform the action on the object comprises: performing a first evaluation with the set of relationship tuples based at least in part on the set of relationship tuples comprising the relationship tuples of the first type; or performing a second evaluation with the set of relationship tuples based at least in part on the set of relationship tuples comprising the relationship tuples of the second type, the second evaluation being different from the first evaluation. 10 . The computer-implemented method of claim 1 , wherein receiving the plurality of relationship tuples comprises: receiving a request to create a relationship tuple at a first time based at least in part on the relationship tuple not existing in the multi-tenant system prior to the first time; and storing the relationship tuple in the multi-tenant system with a first timestamp corresponding to the first time. 11 . The computer-implemented method of claim 10 , further comprising: receiving a request to delete the relationship tuple, the request comprising a second timestamp; and deleting the relationship tuple in response to the request based at least in part on a second time corresponding to the second timestamp occurring subsequent to the first time corresponding to the first timestamp. 12 . The computer-implemented method of claim 1 , further comprising: determining an evaluation cost associated with making the determination, wherein the evaluation cost is based at least in part on level of complexity associated with the request; and determining whether the request applies to a service level agreement between the multi-tenant system and the tenant based at least in part on the evaluation cost satisfying a threshold. 13 . The computer-implemented method of claim 1 , wherein receiving the plurality of relationship tuples comprises: receiving the plurality of relationship tuples from software components designed to operate with the multi-tenant system, the plurality of relationship tuples received in response to actions associated with the users of the tenant. 14 . The computer-implemented method of claim 1 , wherein receiving the plurality of relationship tuples comprises: receiving the plurality of relationship tuples indicating the plurality of relations between the plurality of users and the plurality of objects, wherein a relationship tuple comprises a relation between a first user and a first object, a relation between a second user and the first object, a relation between the first user and the second user, or a relation between the first user and a group. 15 . An apparatus, comprising: one or more memories storing processor-executable code; and one or more processors coupled with the one or more memories and individually or collectively operable to execute the code to cause the apparatus to: receive, from an administrator of a tenant of a multi-tenant system, input indicative of an authorization model for the tenant, the authorization model indicating types of objects of the tenant and types of relations that the types of objects have with users of the tenant; output a first query for a first type of relationship tuple associated with a first type of user identifier; output a second query for a second type of relationship tuple associated with a second type of user identifier; receive a plurality of relationship tuples indicating a plurality of relations between a plurality of users and a plurality of objects based at least in part on the first query and the second query; receive a request to determine whether a user of the tenant is authorized to perform an action on an object; determine whether the user is authorized to perform the action on the object, the determination being made in accordance with the authorization model and a set of relationship tuples of the plurality of relationship tuples, the set of relationship tuples based at least in part on the request, wherein the set of relationship tuples comprises relationship tuples of the first type or the second type; and respond to the request in accordance with the determination. 16 . The apparatus of claim 15 , wherein: the input comprises at least one natural language message indicating at least one rule of