Hi! Can anyone suggest how to implement following functionality? There are organizations, grades, departments and employees in my schema(https://play.authzed.com/s/WTS_myhEgBhn/schema). I want to allow department heads to view their organization(ancestor) and applicable grades(sibling?) If possible, I'd like to do it with few/without new relationships in DB to simplify code for updates(less relationships to delete/create), performance as of now is not a priority

hi, for some reason I answered but discord decided not to deliver the message? sorry about that

Well that's sad. Could you rewrite main points from your answer? I need to view parent entity using user's relation to its child for showing parent in UI. Right now I'm thinking of group access(subject relation) or schema with roles and bindings, like one from your blog post about IAM (my system will have a predefined set of roles/permissions, users can have multiple roles), but I hope there is a simpler way

this is one of the proposals I made: https://play.authzed.com/s/Lj5HMKLgz9xA/schema essentially adding

relation department_heads: department#head

to organiation, and use that in

grade

Thanks! Yeah, that works out, but now I'm a bit concerned about managing users' authorities. If you don't mind, could you tell me when it's preferable to use a role/user/binding model? As I said earlier, there will be multiple roles and inherited permissions, so maybe it's better to list all possible roles in one definition like here? https://authzed.com/blog/google-cloud-iam-modeling/

you'd use that model when Roles are used defined. If they are system defined, then I'd say don't bother