caveat type_can_view(user_type string) {
  user_type == 'can-view-type'
}

definition user {
  relation organization: organization
  relation not_allowed_self_edit: user
  relation self: user with type_can_view

  permission view = self + organization->view_members
  permission edit = organization->edit_members
}