My bad, I just didn't create the relationship between

org

and

workspace

which is

parent

, After creating

parent child

relationship it worked as expected (I can see org admin user in the result of

LookupSubjects

call for workspace). p.s., I want to simulate the behavior of the

GitLab

RBAC system.

java
definition user {}

definition org {
    relation admin: user
    relation member: user

    permission read = admin + member
    permission create = admin
    permission update = admin
    permission delete = admin
}

definition workspace {
    relation parent: org
    relation admin: user
    relation member: user    

    permission read = member + admin + parent->member + parent->admin
    permission create = admin + parent->admin
    permission update = admin + parent->admin
    permission delete = admin + parent->admin
}

definition project {
    relation parent: workspace
    relation admin: user
    relation member: user    

    permission read = member + admin + parent->member + parent->admin
    permission create = admin + parent->admin
    permission update = admin + parent->admin
    permission delete = admin + parent->admin
}

js
        resp, err := authz.LookupSubjects(context.Background(), &v1.LookupSubjectsRequest{
            Consistency: &v1.Consistency{
                Requirement: &v1.Consistency_FullyConsistent{
                    FullyConsistent: true,
                },
            },
            Resource: &v1.ObjectReference{
                ObjectType: "workspace",
                ObjectId:   "it_department",
            },
            Permission:        "read",
            SubjectObjectType: "user",
        })