Multple permissions in one SpiceDB #spicedb

Multple permissions in one

Joey

06/13/2024, 2:57 PM

Copy code

definition organization {
    relation internal_admin : user
    relation internal_user : user
    relation manager: organization#internal_admin | organization#internal_user
   
    permission manage_teams = manager
}

write a relationship from the org to itself over either relation you want to control

Rinat Sharipov

06/13/2024, 6:17 PM

not sure that I properly understand how to achieve my expectations, I do not want to revoke role from the user, I would like to limit access for a specific user, event he is still has role - admin

Joey

06/13/2024, 6:38 PM

to what end?

Rinat Sharipov

06/13/2024, 6:43 PM

my schema of organization

Copy code

definition smile2impress/employee {}

definition smile2impress/role {
    relation member: smile2impress/employee
}

definition smile2impress/organization {    
    // appoitments management
    relation appointment_creator: smile2impress/role#member

    relation allowed_appointment_types_to_create_appointment: smile2impress/employee with allowed_appointment_type

        relation appointment_creator_final = organization#appointment_creator | organization#allowed_appointment_types_to_create_appointment

        permission create_appointment = appointment_creator_final
}

Rinat Sharipov

06/13/2024, 6:44 PM

in case user has role for which exists relation (appointment_creator) and at the same time it allowed to create only particular appointments (allowed_appointment_types_to_create_appointment) then appointment_creator_final will always exists by role

Rinat Sharipov

06/13/2024, 6:44 PM

don't it ?

Joey

06/13/2024, 6:57 PM

if a user has both roles, they would, by defintition, always be able to create appointments

Joey

06/13/2024, 6:57 PM

if that's not what you desire

Joey

06/13/2024, 6:57 PM

you can require one or both

5 Views

Previous Next