Hi, I'm trying to model a hierarchy of folders where any

folder

can be assigned to a user - who then has the

can_manage

permission on it and all descendents. Pretty standard stuff, but the quirk is that an assignee should remove permission from any assignee made further up the tree. I have this schema -

definition user {}

definition platform {
    relation default_assignee: user

    permission can_manage = default_assignee
}

definition folder {
    relation parent: folder | platform
    relation direct_assignee: user

    // this permission should traverse to parent->can_manage only if direct_assignee relationship is empty
    permission can_manage = direct_assignee + parent->can_manage
}

definition file {
    relation parent: folder

    permission can_manage = parent->can_manage
}

( https://play.authzed.com/s/mPTg5isqHSCb/schema has this, test data and assertions for the desired behaviour). I'm stumped on how to express

folder.can_manage

- '+' isn't right. Any hints gratefully received 🙂