https://authzed.com logo
Join Discord
Powered by
:doggowave: Howdy!
# spicedb
k
Howdy! I'm following along the User Defined Roles blog post, but I've run across a wrinkle for my specific use case + wanted to check if something was possible. Given the following schema:
Copy code
definition subject_a {}
definition subject_b {}

definition group {
  relation action_a_taker: todo

  permission action_a = action_a_taker
}

definition role {
  relation group: group
  relation role_user: subject_a | subject_b
}
Is it possible to specify a specific object type in combination with a subject relation? Something like:
Copy code
relation action_a_taker: role#role_user but only if role_user is of type subject_a
v
👋 howdy, no that's not possible, if you reference 
role#role_user
, you take any possible type of that relation. But how is that impacting your usecase? When you do a 
PermissionCheck
you specify a type, so if you do check 
resource1 view subject_a
then 
subject_b
will be ignored. So I guess I have to ask what are you trying to actually achieve?
k
(sorry for the late response, it took me an embarrassing amount of time to think of an anonymized example) I'm trying to migrate an existing auth system over to SpiceDB (and it's a little janky). In that existing system, I have a unified list of roles (that should really ideally be split up) but some of the roles can only be assigned to specific combinations of subject types and resource types. Here's a rough example of the kind of setup I'm working with: Say you have the following entities:
Copy code
blog
person
user_account
profile
And the following roles:
Copy code
site_admin
use_account
edit_profile
Here are the constraints:
Copy code
- the only valid role when the object is a blog is "site_admin", and the subject must be a person
- a person (the subject) may have either the "moderator" or "use_account" role to a user_account (the object), but would never have a role directly to the profile
- a user account (the subject) may only have the role "edit_profile" to a profile (the object), but would not be the subject in any other rules
So I would like to achieve something like this:
Copy code
definition blog {
    relation site_admin: rule#actor (but only valid if rule#actor is a person)
}

definition person {}

definition user_account {}

definition profile {
    relation editor: rule#actor (but only valid when the rule#actor is a user_account)
}

definition rule {
    relation parent_blog: blog
    relation actor: person | user_account
}
PreviousNext
Powered by