844600078504951838 #spicedb

Channels

spicedb

test-forum

zanzibar

Bryan

12/03/2021, 7:53 PM

No worries, its not urgent.

Joey

12/03/2021, 8:16 PM

@User is there a need to control roles as distinct groups of users, or is the grant always to a specific user, on a specific repo?

Bryan

12/03/2021, 8:17 PM

The latter. A specific user on a specific repo.

Joey

12/03/2021, 8:18 PM

in general, if the role is not going to be used outside of the context of the particular resource, its recommended to just have users be granted directly on a relation on the repo

Joey

12/03/2021, 8:19 PM

for example:

definition repo {
  relation delete_issuer: user
  permission delete_issue = delete_issuer
}

Joey

12/03/2021, 8:19 PM

basically, you remove the idea of a

role

object type, and just have users be granted a particular relation on the repo itself

Joey

12/03/2021, 8:19 PM

however, this only works IF you don't expect to need to manage the entire role across repos in any manner

Joey

12/03/2021, 8:20 PM

(my bad naming aside, of course :))

Bryan

12/03/2021, 8:22 PM

Gotcha. Currently, custom roles can be dynamically managed. That is to say, an org owns a role and an org admin can add or remove permissions from that role. So looking back at > Is there a need to control roles as distinct groups of users, or is the grant always to a specific user, on a specific repo? It's a little of both.

Joey

12/03/2021, 8:23 PM

yeah, if the roles are completely custom, then that's a different open question

Joey

12/03/2021, 8:23 PM

in that case, I believe a role is "owned" by an org

Joey

12/03/2021, 8:24 PM

you could think of those as you mentioned, as a group of users

Joey

12/03/2021, 8:24 PM

definition role {
  relation member: user
}

definition repo {
  relation delete_issuer: role#member
  permission delete_issue = delete_issuer
}

Joey

12/03/2021, 8:24 PM

so any member of a particular role can delete issues

Joey

12/03/2021, 8:25 PM

that role would be "owned" by an org, and then you can grant the members of that role (group) delete issue power on the repo

Joey

12/03/2021, 8:25 PM

this has the caveat of that grant having to be done per repo

Bryan

12/03/2021, 8:35 PM

Okay, just trying to work this out. So if I have

repo1

and I want to give

monalisa

the

repo_manager

role which can delete and reopen issues, it would look something like this:

role:repo_manager#member@user:monalisa
repo:delete_issuer#role:repo_manager#member
repo:reopen_issuer#role:repo_manager#member

Bryan

12/03/2021, 8:35 PM

And I would have to do the last 2 lines again if I wanted to give

monalisa

that role for

repo2

Joey

12/03/2021, 8:36 PM

repo:repo1#delete_issuer@role:repo_manager#member

Joey

12/03/2021, 8:36 PM

that would grant any member of the role the ability to delete issues

Joey

12/03/2021, 8:36 PM

you could also grant such ability directly to

monalisa

, if you allow

user

on the right hand side of the

relation

as well

Joey

12/03/2021, 8:37 PM

(edited the above to make it reference your

repo1

)

Bryan

12/03/2021, 8:37 PM

Ah I see. I think I'm going to take this back to the lab and try a few different use cases!

Bryan

12/03/2021, 8:38 PM

Thanks for the help 🙂

Joey

12/03/2021, 8:39 PM

anytime! don't hesitate to ping here or me personally if you have any further questions or ideas you want me to badly name

bryana

12/03/2021, 8:54 PM

I think I found a good way to solve for this!

bryana

12/03/2021, 8:57 PM

https://play.authzed.com/s/1CF36Ha3wlbN/schema

Joey

12/03/2021, 8:58 PM

so you'll need a

staff_access_grant

on every repo

bryana

12/03/2021, 8:58 PM

yes, which is actually a thing! I thought I'd put it aside but it turns out it helps in this situation

Joey

12/03/2021, 8:58 PM

yeah