jamesp
05/01/2024, 2:42 PMGDPR
and HIPPA
so you might end up with a resource that looks something like document.tags = ["GDPR", "HIPPA"]
2) Likewise, users can be members of these tags (typically after receiving the appropriate training). So a user might look something like user.tag_memberships = ["GDPR", "CCPA"]
.
What I want to express:
A user
has read
permissions on a document
if they are a member of all of a document's tags.
For example. If I have document.tags = ["GDPR", "HIPPA"]
and alice.tag_membership = ["GDPR", "CCPA"]
then Alice should not have read
permission on document
. But if I have bob.tag_membership = ["GDPR", "HIPPA"]
then Bob should have read
permission on document
.
I can get the easier case of users must have membership it at least one document tag expressed easily in spice (https://play.authzed.com/s/wRJQSATx7Bj0/assertions):
definition user {}
definition document {
relation tag_viewer: tag
relation viewer: user
permission view = viewer & tag_viewer->member
}
definition tag {
relation direct_member: user
permission member = direct_member
}
But can't figure out how to require 100% overlap between the relationships.