it might be better to have the site itself and then do

& site->staff_member

if you think you'll need the site for other things

but I really only need it on the repos that will want a repo unlock

oh, then yeah

that works 🙂

just grant both things at the same time

and you're golden

right 👍 in reality the staff access grant is a prerequisite for the repo unlock

don't think that affects how it looks in the schema

nope

you just write the relationships whenever you need to do so

Back from the lab. I'm not sure this

definition role {
  relation member: user
}

definition repo {
  relation delete_issuer: role#member
  permission delete_issue = delete_issuer
}

will work. The style of grouping this schema models doesn't fit the use case I'm trying to model 😅 I've attached a diagram to (hopefully) help explain how custom roles are modeled at GitHub. GitHub has a notion of a

UserRole

which creates a link between a user

monalisa

, a repo

repo1

, and a role

repo_manager

. The permissions that

repo_manager

grants

monalisa

is valid only on

repo1

. A different user

geoff

can get the role

repo_manager

on a different repo

repo2

. The two grants are indepentent of each other. At this point,

monalisa

has no permissions on

repo2

. Likewise,

geoff

has no permissions on

repo1

. I attempted to model this in the attached diagram. Using the schema above, here's how

monalisa

could get the

repo_manager

role for

repo1

. First make

monalisa

a member of

repo_manager

role:repo_manager#member@user:monalisa

Next, let

repo_manager

members have the

delete_issuer

relationship for `repo1`:

repo:repo1#delete_issuer@role:repo_manager#member

The same thing can be done for

geoff

to give them the

repo_manager

role on

repo2

. We can check to make sure

monalisa

has the

delete_issue

permission on

repo1

and

geoff

has the

delete_issue

permission on `repo2`:

assertTrue:
- repo:repo1#delete_issue@user:monalisa
- repo:repo2#delete_issue@user:geoff

We can also check to make sure

monalisa

has no permissions on

repo2

and

geoff

has no permissions on `repo1`:

assertFalse:
- repo:repo2#delete_issue@user:monalisa
- repo:repo1#delete_issue@user:geoff

Uh-oh, these don't pass!

monalisa

has access to

repo2

and

geoff

has access to

repo1

. 🙀

Also, sorry for the wall of text, just trying to get all my findings out there in one shot 😅

Can you create different roles for the different groups of users or are they all user defined?

I’ll see if I can model this up later tonight when back at my computer

@User if the roles are predefined (i.e.

role_manager

is a defined Github role type), and its per user per repo, you can do something like this: https://play.authzed.com/s/Ci8GGHHCNeg3/schema

> Can you create different roles for the different groups of users or are they all user defined? I'm not 100% sure what this is asking. I should be more clear, we have two types of roles, system roles and custom roles. System roles are

read

,

write

,

admin

, etc. They a set of permissions which GitHub decides and they cannot be changed. Your playground is an excellent example of how we can model those. The difficult situations come with custom roles. Orgs can have custom roles, which are roles that represent a collection of permissions that the org admins can hand-pick. So if a user has the

write

role on a repo, I can follow your playground and make a

write

role a relation on the

repository

definition. But if a user has a custom role, it's trickier. I can't write it directly into the schema like

write

because I don't know the permissions the custom role allows. The custom role can have permissions dynamically added and removed at the org admins' discretion.

yeah, so it is user defined roles then

that's a bit more complicated

let's resume discussing on Monday 🙂

Agreed, have a great weekend ✌️

After reading the post https://authzed.com/blog/user-defined-roles/ i have a quesion about "how permission on resource mapping to capability on project", is there any way require no manual modeling. In my case project like a container, project owner can request a lot of resources(like issues in github case) to be imported into project.Above post suggesting define capabilities on project which grouping resources' permissions ,before granting role-capability-project tuple.For easing the burden of project owner when adding new resource, is it ＯＫ to just bypass the capability modeling and do 1 to 1 permission mapping only? For example auto mapping create_comment permission on issue to issue.create_comment relation on project , when user select to add issue resource to the project.

@User are you asking if there is a way to have

create_permission

include the users who have permission to create an issue comment on the parent project?

actually i want the project to have all child resource permissions definition ,then be able to grant these permissions to a custom role

@User here is what I put together for the GH roles on Friday: https://play.authzed.com/s/rpYDbP71jJ_V/schema. This allows for roles to be granted permissions, and then a role to be granted for a specific user on a repo. You may be able to adapt it to your needs.

ＯＫ🤝

Hey folks -- sorry if I'm asking in the wrong place. But I can't figure out how to bootstrap SpiceDB locally with a postgres datastore. Are there some docs on how to do it properly? Right now if I start Spice via docker I get an error saying the database doesn't exist in pg. If I create the database, it complains its tables aren't there. How do I get it to bootstrap itself?

@User you need to create the database by hand, and then run

spicedb migrate

Awesome, I'll try that. Thanks Jake.

(making sure that you have all of the correct datastore flags set)