https://authzed.com logo
Powered by
spicedb
  • y

    yetitwo

    12/13/2022, 5:53 PM
    that makes sense
  • y

    yetitwo

    12/13/2022, 5:53 PM
    but how would i go about saying "this user can create roles?"
  • y

    yetitwo

    12/13/2022, 5:54 PM
    that's the meta part i'm struggling with
  • j

    Joey

    12/13/2022, 5:54 PM
    well, where do roles "live"?
  • y

    yetitwo

    12/13/2022, 5:54 PM
    or is that the wrong way to think about it because we model things using relations and not entities in spicedb?
  • j

    Joey

    12/13/2022, 5:54 PM
    are they owned by an organization, namespace, the platform overall?
  • j

    Joey

    12/13/2022, 5:54 PM
    if an organization, you'd do something like
  • j

    Joey

    12/13/2022, 5:54 PM
    definition organization {
  relation owner: user
  permission can_create_role = owner
}
  • t

    Toi

    12/13/2022, 6:05 PM
    Hello everyone, how is it going? Just got here! I'm attempting to model my usecase but I'm having some trouble finding a solution. Basically, my use case consists of permissions, but these permissions might have a scope. For example: We have organizations, employees and teams. An employee may be part of a team and also part of an organization. An administrator of a given organization will have the option to give a particular employee the permission to view all employees in an organization. It may also give another employee the permission to view only employees of the same team. And we want the administrator to mix and match these permissions as much as it likes (we will have a bunch of permissions like that) Is there a suggested schema to achieve this?
  • j

    Joey

    12/13/2022, 6:08 PM
    you can usually accomplish this by having different relations, like so: 
    definition user {}

definition organization {
  relation employee_viewer: user
  permission view_employees = employee_viewer
}

definition team {
  relation org: organization
  relation member: user
  permission view_employees = member + org->view_employees
}
  • j

    Joey

    12/13/2022, 6:08 PM
    so in this case, if a user is a 
    member
    of a team, they can view that team's employees
  • j

    Joey

    12/13/2022, 6:08 PM
    OR if a user is an 
    employee_viewer
    on the organization, they can view the members of any team (under that org)
  • t

    Toi

    12/13/2022, 6:12 PM
    Hm, very interesting! So I could also have: 
    definition employee {
  relation team: team
  relation org: organization
  permission view = org->view_employees + team->view_employees
}
    Sounds like a good idea! The only downside is that I'll have to update the schema with each new permission, but might not be a big of a deal
  • j

    Joey

    12/13/2022, 6:13 PM
    yeah
  • j

    Joey

    12/13/2022, 6:13 PM
    if you have the team 
    view_employees
    defined above like I did, you wouldn't need to add the 
    org->view_employees
    to the 
    employee
  • j

    Joey

    12/13/2022, 6:14 PM
    because 
    team->view_employees
    would walk to its parent organization too
  • j

    Joey

    12/13/2022, 6:14 PM
    if that's the design you like
  • t

    Toi

    12/13/2022, 6:14 PM
    Makes sense!
  • j

    Joey

    12/13/2022, 6:18 PM
    if you didn't want to have to update the schema each time with a new permission, you could do it dynamically, but that's less efficient, so only do so if you need the dynanism
  • j

    jzelinskie

    12/13/2022, 6:24 PM
    it's also a bit safer to update the schema each time, because you can lean on SpiceDB for validation and, if you ever need to migrate data, having things organized ahead of time makes it much easier to discover the data you need to migrate
  • y

    yetitwo

    12/13/2022, 7:01 PM
    i've got a baby version of a role-based schema: 
    definition user {}

definition role {
    relation bearer: user
}

definition site {
    relation reader: role
    relation writer: role

    permission read = reader
    permission write = writer
}

definition site_trial {
    relation site: site
    relation reader: role
    relation writer: role

    permission read = site->reader + reader
    permission write = site->writer + writer   
}
    and when i go to add a relation between a user->role and role->site, and then assert that that user has (say) "write" on the given site, I'm getting an error. do you need intermediate permissions? i was under the impression that spicedb would walk all relations to end at a given permission
  • y

    yetitwo

    12/13/2022, 7:01 PM
    i can post my sample data if that'd help make it more concrete or if the problem isn't immediately obvious
  • j

    Joey

    12/13/2022, 7:02 PM
    @yetitwo do you have a playground link?
  • y

    yetitwo

    12/13/2022, 7:02 PM
    https://play.authzed.com/s/zyBgdmcF-eob/schema
  • y

    yetitwo

    12/13/2022, 7:02 PM
    ah that is a nifty feature
  • j

    Joey

    12/13/2022, 7:02 PM
    yep!
  • j

    Joey

    12/13/2022, 7:02 PM
    and the next release will have debugging on check watches too
  • j

    Joey

    12/13/2022, 7:02 PM
    so you can see why it didn't resolve
  • j

    Joey

    12/13/2022, 7:04 PM
    oka
  • j

    Joey

    12/13/2022, 7:04 PM
    so the problem is
1...299300301...325Latest