https://authzed.com logo
Join Discord
Powered by
s
Copy code
definition membership {
    relation organization: organization
    relation team: team
    // permission to issue card for membership
    permission issue_credit_card_for =  organization->issue_new_card + team->issue_member_card
    // permission to manage cards of membership
    permission manage_cards_of = organization->issue_new_card + team->manage_cards_of_member
}

definition organization {
    // a membership is a member of the organization
    relation member: membership
    // a role member is a card_manager in the organization
    relation card_manager: role#member
    // mange all cards in organization
    permission manage_cards = card_manager & member
}

definition role {
    /** membership is a member of the role */
    relation member: membership
}

definition team {
    /** Which organization the team belongs to */
    relation organization: organization
    /** Team roles, specific to a particular team */
    relation admin: membership
    /** Just a regular member of the team */
    relation direct_member: membership
    // Team admin can do actions on cards of members    
    permission manage_cards_of_member = admin
    // Team admin issue a card to members
    permission issue_member_card = admin
}

definition credit_card {
    relation organization: organization
    relation owner: membership
    // just to simplify the permissions in schema
    permission manage = organization->manage_cards + owner->manage_cards_of
    permission activate = owner
    permission lock = owner + manage    
}
v
I think this looks mostly fine to me if your main use-case is having team admins be able to create and manage cards. I think the 
role
definition here provides no apparent value if you are implementing an RBAC model. If you are looking to build something akin to "custom roles" like you see in GitHub, I'd recommend checking out https://authzed.com/blog/google-cloud-iam-modeling
s
Thank you so much!
7 Views
PreviousNext
Powered by