yetitwo
05/14/2024, 1:49 PMIan
05/14/2024, 1:51 PMyetitwo
05/14/2024, 1:52 PMyetitwo
05/14/2024, 1:52 PMIan
05/14/2024, 1:56 PMyetitwo
05/14/2024, 1:57 PMJoey
05/14/2024, 2:17 PMJoey
05/14/2024, 2:17 PMIan
05/14/2024, 2:56 PMJoey
05/14/2024, 3:07 PMIan
05/14/2024, 3:18 PM"groups": ["group1", "group2"]
So generally, it says they are members of a group or roleJoey
05/14/2024, 3:27 PMJoey
05/14/2024, 3:28 PMIan
05/14/2024, 3:31 PMmember
relation on a group
resource in our authorization model. Then permissions would be determined from the groups relation with other resources. You could think of it as well in terms of roles, the claims in the token would represent the roles that have been assigned to the user from the external IDP, so those roles would then have relations with other objects.Joey
05/14/2024, 3:51 PMIan
05/14/2024, 4:01 PMproject
, and project would have a relation owner: group#member
, and permissions would apply to the project resouce based on the members of the owner
group.Joey
05/14/2024, 4:01 PMIan
05/14/2024, 4:03 PMJoey
05/14/2024, 4:04 PMuser:*
and check the group IDJoey
05/14/2024, 4:04 PMJoey
05/14/2024, 4:05 PMcaveat has_matching_group_id(group_id string, users_group_ids list<string>) {
users_group_ids.contains(group_id)
}
definition group {
relation member: user:* with has_matching_group_id
}
then write a relationship group:whatever#member@user:*[has_matching_group_id:{"group_id": "whatever"}]
Joey
05/14/2024, 4:05 PMJoey
05/14/2024, 4:06 PMJoey
05/14/2024, 4:06 PMJoey
05/14/2024, 4:07 PMIan
05/14/2024, 4:09 PMJoey
05/14/2024, 4:14 PMJoey
05/14/2024, 4:14 PMgroup
itselfJoey
05/14/2024, 4:14 PMJoey
05/14/2024, 4:14 PMcaveat has_matching_group_id(allowed_group_ids list<string>, users_group_ids list<string>) {
// ensure the groups have crossover
}
definition project {
relation viewer: user:* with has_matching_group_id
}
Joey
05/14/2024, 4:15 PMproject
Joey
05/14/2024, 4:15 PMJoey
05/14/2024, 4:16 PMIan
05/14/2024, 4:38 PMIan
09/12/2025, 3:14 PMfor relation `user`: relation/permission `group#member` includes wildcard type `user` via relation `group#member`: wildcard relations cannot be transitively included(group#member)
I've created this playground example with a minimal reproducable example. Do you have any ideas how I might be able to fix this? Unfortunately we've built most of our authz system assuming this would work, but now are running into an issue on this last feature. Thanks for the help!
https://play.authzed.com/s/Ga68wFUVbt3k/schemaIan
09/12/2025, 3:15 PMIan
09/12/2025, 3:25 PMyetitwo
09/12/2025, 3:30 PMyetitwo
09/12/2025, 3:30 PMrole_binding
could have both relation user: user
and relation group: group
and then the permission would be (user + group->member)
Ian
09/12/2025, 3:30 PMyetitwo
09/12/2025, 3:31 PMyetitwo
09/12/2025, 3:31 PMyetitwo
09/12/2025, 3:31 PMrole->project_read & (user + group->member)
Ian
09/12/2025, 3:32 PMgroup#member
?yetitwo
09/12/2025, 3:32 PMIan
09/12/2025, 3:33 PMyetitwo
09/12/2025, 3:37 PMgroup
relation used in addition to the user
relation, do a data/code migration to copy the relations over and stop writing the old relation, clean out the old relation, and then write a new schema that gets rid of the old relationIan
09/12/2025, 3:40 PMyetitwo
09/12/2025, 3:44 PMIan
09/12/2025, 3:51 PMyetitwo
09/12/2025, 4:03 PMIan
09/12/2025, 4:13 PMyetitwo
09/12/2025, 4:14 PM