https://authzed.com logo
#spicedb
Title
# spicedb
j

jhleao

05/10/2023, 7:24 PM
Hi. We are migrating our permissions system to Authzed and I have a question on how to model a specific part of it. We have workspaces, projects and boards. Any rights people have on an upper level, are inherited on the lower level. As follows:
Copy code
definition app/user {}

definition app/workspace {
    relation viewer: app/user
    relation editor: app/user
    permission read = viewer
    permission write = editor
}

definition app/project {
    relation workspace: app/workspace
    relation viewer: app/user
    relation editor: app/user
    permission read = viewer + workspace->read
    permission write = editor + workspace->write
}

definition app/board {
    relation project: app/project
    relation viewer: app/user
    relation editor: app/user
    permission read = viewer + project->read
    permission write = editor + project->write
}
The rule we're trying to model now is, people that are part of a
board
, but not part of the respective
workspace
, should have a specific permission set on that
workspace
, that we call "guest" permissions. Perhaps something like this pseudo code:
Copy code
definition app/workspace {
    permission guest_read: linked_projects->linked_boards->viewer
}
This would be the other way around of the -> operator. Making a lookup on a relation that lives on other definitions. Is this possible? Or how else would you suggest modeling this rule?
2 Views