``` /** user represents a user */ definition use...
# spicedb
p
Copy code
/** user represents a user */
  definition user {}

  /** superadmin represents superadmins */
  definition platform {
      relation administrator: user
  }

  caveat if_org_public(visibility string) {
      visibility == "org_public"
  }

  /** organization represents an organization that contains projects */
  definition organization {
      relation orgplatform: platform

      /** administrator indicates that the user is an admin of the org */
      relation administrator: user
      relation member: user

      /** Allow any user to view this organization if the visibility is public */
      relation public_viewer: user:*
      permission admin = administrator + orgplatform->admin
      permission view = member + admin + public_viewer
      permission create_project = member + admin
      permission delete_project = member + admin
      permission add_user = admin
      permission remove_user = admin
      permission set_visibility = admin
  }

  /** project represents a project with access control */
  definition project {
      /** projectorg indicates that the organization owns this project */
      relation projectorg: organization

      /** Allow any user to view this project if the visibility is public */
      relation public_viewer: user:*
      /** Allow any user in projectorg to view this project if the visibility is org_public */
      relation org_public_viewer: organization#view with if_org_public

      relation administrator: user
      relation reader: user
      relation writer: user

      /** implict perm to group admin, not used in application code! */
      permission admin = projectorg->administrator + administrator

      // admin perms
      permission add_member = admin
      permission remove_member = admin
      permission update_member_permissions = admin
      permission set_visibility = admin

      // regular perms
      permission view = admin + reader + public_viewer + org_public_viewer
3 Views