Joey
03/07/2022, 5:41 PMdefinition user {
relation viewer_only: user
permission all = viewer_only
}
definition document {
relation writer: user#all
relation reader: user#all | user#viewer_only
permission edit = writer
permission view = reader + edit
}
in this example, you grant a role on document
to either user#all
or to user#viewer_only
. Then, at check time, you can check for user:whomever#all
as the subject or user:whomever#viewer_only
, and it'll "scope down" based on that. Since #all
also includes the lower "scopes", it'll handle that case too
Playground link here: https://play.authzed.com/s/NvrMRnPDnnT4/