Back from the lab. I'm not sure this

definition role {
  relation member: user
}

definition repo {
  relation delete_issuer: role#member
  permission delete_issue = delete_issuer
}

will work. The style of grouping this schema models doesn't fit the use case I'm trying to model 😅 I've attached a diagram to (hopefully) help explain how custom roles are modeled at GitHub. GitHub has a notion of a

UserRole

which creates a link between a user

monalisa

, a repo

repo1

, and a role

repo_manager

. The permissions that

repo_manager

grants

monalisa

is valid only on

repo1

. A different user

geoff

can get the role

repo_manager

on a different repo

repo2

. The two grants are indepentent of each other. At this point,

monalisa

has no permissions on

repo2

. Likewise,

geoff

has no permissions on

repo1

. I attempted to model this in the attached diagram. Using the schema above, here's how

monalisa

could get the

repo_manager

role for

repo1

. First make

monalisa

a member of

repo_manager

role:repo_manager#member@user:monalisa

Next, let

repo_manager

members have the

delete_issuer

relationship for `repo1`:

repo:repo1#delete_issuer@role:repo_manager#member

The same thing can be done for

geoff

to give them the

repo_manager

role on

repo2

. We can check to make sure

monalisa

has the

delete_issue

permission on

repo1

and

geoff

has the

delete_issue

permission on `repo2`:

assertTrue:
- repo:repo1#delete_issue@user:monalisa
- repo:repo2#delete_issue@user:geoff

We can also check to make sure

monalisa

has no permissions on

repo2

and

geoff

has no permissions on `repo1`:

assertFalse:
- repo:repo2#delete_issue@user:monalisa
- repo:repo1#delete_issue@user:geoff

Uh-oh, these don't pass!

monalisa

has access to

repo2

and

geoff

has access to

repo1

. 🙀