Hi, I've struggled to write the schema for the new requirements and have not succeeded. I hope somebody can give me a hint 😅 I have a hierarchical tree with nodes that have assigned users. Each user can have a role. A user can perform specific actions based on his role against the users who are assigned to the child nodes. The roles are predefined and always have a defined list of scopes. I can share my progress, but I don't think I'm moving in the right direction. Any help would be appreciated.

I'd suggest sharing your schema before the new requirements, and describing what you are trying to achieve in terms of that schema

Hi again. I have managed to check permission for the resource(user) if he is attached to the child node. But now I need to implement a permission check when the subject(user) has a specific role it can perform the actions against any user, no matter where on the tree he is located. Here is my schema, I have simplified it show only one permission. I attached the schema and relations configuration. My intention is to be able to check the permission and it needs to be valid if the subject has human_resource role:

user:head_of_production_user#contacts_view@user:human_resource_user

It is currently working fine when I check permissions to see when the subject has the lead role and the resource is attached to the child node. Thanks in advance. https://cdn.discordapp.com/attachments/1247479072960020571/1248627476066996314/authzed-download-47b534.yaml?ex=66645a74&is=666308f4&hm=962be45a28c6046b056ff27a1ab41f68f91e774200b8843b4a2571ed992f8400&

Hi, I think one way to do this is to create a "platform node" where location-independent role grants take place. In this example I've created a "platform" object, where the user will be granted a role. All nodes connect to the platform, so you effectively achieve the "regardless of the possition in the hierarchical tree". Please note your requirement seems to be in conflict with the current design. You are describing "a user that can do something when a certain role is assigned", but your schema is designed with fine-grained permissions in mind, where permissions are granted based on what the role can do, not what the role is.

definition user {
    relation membership: node

    permission contacts_view = membership->contacts_view
}

definition role {
    relation contacts_view: user:*
}


definition user_role_binding {
    relation user: user
    relation role: role

    permission contacts_view = user & role->contacts_view
}

definition platform {
    relation granted: user_role_binding

    permission contacts_view = granted->contacts_view
}

definition node {
    relation platform: platform
    relation parent: node
    relation child: node
    relation granted: user_role_binding

    permission member = granted->user
    permission descending_member = member + child->descending_member
    permission ascending_member = member + parent->ascending_member
    permission child_member = descending_member - member
    permission parent_member = ascending_member - member

    permission contacts_view = granted->contacts_view + parent->contacts_view + platform->contacts_view
}

It is exactly what I needed. I was able to find another solution, but your concept with the platform seems much cleaner. Thank you for your help.