vganshin
03/13/2023, 9:46 AMvroldanbet
03/13/2023, 10:10 AMvganshin
03/13/2023, 10:51 AMperson:p-1#member@group:gr-1
instead of
group:gr-1#member@person:p-1
So I had to transform my graph into hierarchy.
Is it possible to write relation group#member@person
and implement the policy I need?Joey
03/13/2023, 11:47 AMvganshin
03/13/2023, 12:12 PMread
permission for person in this case?
definition user {}
definition group {
relation manager: user
relation member: group
}
definition person {
permission read = member; // wrong
}
SpiceDB reports a problem
> relation/permission member
not found under definition person
Joey
03/13/2023, 12:26 PMvganshin
03/13/2023, 12:48 PMdefinition user {}
definition group {
relation manager: user
}
definition person {
relation member_if: group
permission read = member;
}
but then my triplet group:gr-1#member@person:p-1
is wrong. It must be reversed. person:p-1#member_of@group:gr-1
.
It leads me to another question. Can I tell SpiceDB that relation group:gr-1#member@person:p-1
implies relation person:p-1#member_of@group:gr-1
?Joey
03/13/2023, 12:55 PMvganshin
03/13/2023, 12:56 PMPUT /Group/gr-1
member:
- id: p-1
I would like to have the same graph model in my app and SpiceDB. But as we can see, in order to implement my security policy, I have reverse relationship between Group and Person. It is not possible to do it in my app, and I want to if I may just push relationships from my app to SpiceDB as is, or I have to implement some logic on the app side to find out how to write triplet into SpiceDBJoey
03/13/2023, 12:56 PMvganshin
03/13/2023, 12:58 PMJoey
03/13/2023, 1:01 PMvganshin
03/13/2023, 1:37 PMJoey
03/13/2023, 1:39 PMvganshin
03/13/2023, 4:50 PMUser(manager) → Group → Person
and User(member) → Group
), but not in the auth model.
I think I agree, that hierarchy badly describes ReBAC. But what did you mean by 'upside-down "V" shape'. I can't find anything on Google.Joey
03/13/2023, 8:42 PMvganshin
03/14/2023, 11:33 AM