Hello! I’m back with another question. I’m trying to model a concept we have which is “custom” roles, basically roles that consist of a set of configurable permissions and a role can be assigned to a user or a team. After a lot of trial and error I found this example https://discord.com/channels/844600078504951838/844600078948630559/905094756529471551 which helped me get it working for users as role members. Here’s what that looks like…

definition github/issue {
  ...
  relation repository: github/repository
  permission close = repository->close_issue
}
definition github/repository {
  ...
  relation role: github/role
  permission delete = role->delete_repo

  // synthetic permissions for objects that hang off of repo
  permission close_issue = role->close_issue
  
}

definition github/role {
  relation member: github/user
  relation has_delete_repo: github/role#member
  relation has_close_issue: github/role#member
  relation has_add_repo_topic: github/role#member

  permission delete_repo = member  & has_delete_repo
  permission close_issue = member & has_close_issue
}

I now want to make this work for members of a team when that team is assigned a role, and I thought this update would work, but its not!

definition github/role {
  relation member: github/user | github/team
  permission delete_repo = (member + member->membership) & has_delete_repo
  permission close_issue = (member + member->membership) & has_close_issue
}


def github/team {
  relation maintainer: github/user
  relation member: github/user

  permission membership = maintainer + member
}

Here is my playground https://play.authzed.com/s/8PHCe2ITEXdm. Any ideas?

I think changing it to

relation member: github/user | github/team#member

will get you closer to what you want: https://play.authzed.com/s/LOB262BJFTMK/schema

That looks like it worked! We've been relying on the

membership

permission thats in the

team

object but I wonder if we can replace some of those

member->membership

invocations with just

member

in the permission and use

github/team#member

in the relations

@User likely, yeah

the general rule of thumb is to use a type's relation instead of the type itself, if you're including the subjects within the relation

so in the case of a team, you want to include its members, so use

#member

, instead of the team "itself"

Ok good to know. I'll see what I can update, but i'm unblocked now. Thanks so much!

anytime 🙂

Have we tried on MongoDb? I am asking as we already have SQL server and Mongo in our stack and adding one more db require some effort at enterprise level to get approval etc.

We haven’t tried using mongodb, it might work if they support transactions across all shards

let me check that.

SQL server should be relatively straightforward adaptation from the Postgres driver, but may be difficult to use as a globally distributed backend

One more thing Jake as discussed with you I forget to mention there could be some data to be shared between apps? in that case different schema for different apps will work?

Is there any way to have some common data between multiple Schema?

not right now, no, they would have to share a tenant and schema

yea, mongo supports transactions

4.2+ allows for distributed transactions

> MongoDB introduces distributed transactions, which adds support for multi-document transactions on sharded clusters and incorporates the existing support for multi-document transactions on replica sets. > it sounds like that's what you need but I could be wrong.

Would need to investigate how to do time travel queries, doesn’t look like it’s built in, and transactions would have to be sufficient to ensure manual MVCC integrity

i think they added time travel in 5.0

woops

wrong link

are you a mongo fan / interested in this datastore implementation as well?

its my primary store at the moment but i don't mind using sql for authz

especially if looking to the future, cockroach db is... impressive

at the same time, i think i'd rather use your service tbh. then it doesn't matter where the data is being stored

ok, was just wondering if I could build a case for implementing mongo