https://authzed.com logo
Hi
f

fix

03/15/2023, 8:42 AM
Hi! Can anyone suggest how to implement following functionality? There are organizations, grades, departments and employees in my schema(https://play.authzed.com/s/WTS_myhEgBhn/schema). I want to allow department heads to view their organization(ancestor) and applicable grades(sibling?) If possible, I'd like to do it with few/without new relationships in DB to simplify code for updates(less relationships to delete/create), performance as of now is not a priority
v

vroldanbet

03/15/2023, 9:49 AM
hi, for some reason I answered but discord decided not to deliver the message? sorry about that
f

fix

03/15/2023, 12:22 PM
Well that's sad. Could you rewrite main points from your answer? I need to view parent entity using user's relation to its child for showing parent in UI. Right now I'm thinking of group access(subject relation) or schema with roles and bindings, like one from your blog post about IAM (my system will have a predefined set of roles/permissions, users can have multiple roles), but I hope there is a simpler way
v

vroldanbet

03/15/2023, 12:25 PM
this is one of the proposals I made: https://play.authzed.com/s/Lj5HMKLgz9xA/schema essentially adding
relation department_heads: department#head
to organiation, and use that in
grade
f

fix

03/15/2023, 1:09 PM
Thanks! Yeah, that works out, but now I'm a bit concerned about managing users' authorities. If you don't mind, could you tell me when it's preferable to use a role/user/binding model? As I said earlier, there will be multiple roles and inherited permissions, so maybe it's better to list all possible roles in one definition like here? https://authzed.com/blog/google-cloud-iam-modeling/
v

vroldanbet

03/15/2023, 3:36 PM
you'd use that model when Roles are used defined. If they are system defined, then I'd say don't bother