Hey there, stopping in from GitHub 👋 I'm following up on an effort to model custom roles that @User had started https://discordapp.com/channels/844600078504951838/844600078948630559/912412258678755338 and I'm looking for some advice. Background At GitHub, granting roles on repos is done on a per-repo basis. In other words, a when a role is given to a user for a repo, it applies to only that repository. Using the guidance from ☝️ , we have this schema: https://play.authzed.com/s/WEwcI3gcA-0c/schema. This roughly models the current behavior of roles. A role can have certain permissions "turned on" by creating relationships between the role and its members (for example:

delete_issue

). A user can be a member of that role and a repo can be related to various roles. The Problem This a rough approximation of the intended behavior, but falls apart pretty quickly. Consider the scenario where two users

monalisa

and

geoff

are to be granted the

repo_manager

role on

repo1

and

repo2

, respectively. In real life,

monalisa

gets

repo_manager

on

repo1

, but has no permissions over

repo2

and vice-versa for

geoff

. However, as the assertions show with this model, any member of

repo_manager

gets the

repo_manager

permissions on ALL repos that have a relationship with

repo_manager

. If there were a third user

jeeves

who was given membership of the

repo_manager

role, they would get permissions on

repo1

and

repo2

instantly. I read the blog post on user defined roles (https://authzed.com/blog/user-defined-roles/). It's almost what I need, but is structurally different from how roles at GitHub work. Repos don't "own" the roles. In the blog post, a role is defined on a per-project basis. The

admin

role "belongs" to the

pied_piper

project. It couldn't be re-used in a different project.