yetitwo
03/14/2023, 8:18 PMcorkrean
03/14/2023, 8:29 PMyetitwo
03/14/2023, 8:31 PMcorkrean
03/14/2023, 9:29 PMyetitwo
03/14/2023, 10:06 PMuser:*
. This will allow us to express the concept: “any user who holds this role will have this permission”.
How is this actually used/computed? Like in the role binding where it's:
permission blah = user & role->blah
what makes the user:*
bit on the role important for that computation other than that the relation exists? what explicitly ties it back to the user, and what about that prevents you from using another subject in that computation?ecordell
03/16/2023, 2:07 PMrole->blah
is user:*
then user & user:* == user
, i.e. the intersection of one user with all users is just the one user
if role->blah
is not user:*
(the role doesn't grant that permission), then user & [empty] == [empty]
, i.e. the intersection of one user with no users is no users
if user
is not set, then the rolebinding isn't bound to a user, and the intersection will be empty even if the role binds to user:*
(I'm going based off your example here, I don't have the blog post open to compare, sorry if I contradicted the schema in some way)yetitwo
03/16/2023, 2:31 PM