I'm pretty sure there is not an issue, but we may be sketched out an internal design doc.

If you create one, we'll scrape up our thoughts and add them

I'll do that 👌🏻

Happy weekend! 👋🏻

Hi! I'm on the GitHub team working on modeling our authz with spicedb, and had a question about "self" relationships. A resource can live under an organization or a user (think repos or packages). In order to see if a user can create a resource under an organization, it's simple to model it with a

member

check.

definition github/organization {
  ...
  permission create_resource = membership
}

I'm looking at the user owned case, and want to limit creating resources owned by the user to the user only. Is there a

self

relationship available in the schema language? I'd like to be able to define:

definition github/user {
  ...
  permission create_resource = self

And then have an assertion:

assertTrue:
  - github/user:cjs#create_package@github/user:cjs
assertFalse:
  - github/user:cjs#create_package@github/user:rando

The alternative is to define a container that can be owned by a user (or org) that holds the

create_resource

permissions.

for quay we did this in a container called

namespace

there is no "self" relationship as such, though you could define one but then you would need to actually bind the user to itself using that relation name

having the namespace container is really convenient for converting users to orgs

I like the

namespace

concept better. You're not creating a resource on the user, but in the user's

namespace

.

it can also be used down the road for multiple namespaces per org/user or namespace hierarchies with cascading permissions

FWIW multiple namespaces per org is something I've always wanted from github

I'd love to be able to give that to you, but it would be ... complicated. The best workaround is to have a

business

that owns several

organizations

each being their own namespace. Unfortunately, that has flaws (i.e. ensuring membership & teams between orgs are identical).

> (i.e. ensuring membership & teams between orgs are identical).

this is exactly why we needed it

Are you able to share what visualization tool is being used to produce these graphs? I'd like to be able to generate these for my organization.

hi @User we use https://visjs.github.io/vis-network/docs/network/, via a React wrapping library we wrote

Fabulous. Thank you.

do you want to be able to generate that style of graph or permissions system graphs specifically?

Permissions system graphs

You cannot just use the visualization tab with your own schema in the playground?

What visualization tab?

@User the tab in the bottom panel: "System Visualization"

Ahhhhhh

Thank you

perhaps it needs a better name 🙂

Yep, I got it now. This is way faster than prototyping in lucidchart

@User where did you see the original chart if not there?