https://authzed.com logo
Join Discord
Powered by
hey all, got a question. I'm attempting
# spicedb
a
hey all, got a question. I'm attempting to create a schema to model two main entities, employments & roles, with the following guidelines: - An employment may have exactly one role assigned (employment A has the role 'Barista') - A role may be assigned to any number of employments (the 'Barista' role is assigned to multiple different employments) - A role may "manage" other roles (the 'Admin' role may manage the 'Barista' role, employment B has the 'Admin' role, employment A has the 'Barista' role, therefore employment B may manage employment A) my first pass at modeling this looked something like the attached image. this worked okay, as it allowed me to answer the question β€œCan employment A, assigned role B, be managed by role C?" it did not, however, allow me to answer the question β€œCan employment A that is assigned role B, be managed by employment D that is assigned role C?” am I correct in thinking that in order to answer this question, I'd need to either: 1) introduce a cycle into the graph, or 2) split out 'employment' -> 'managed_employment' & 'managing_employment', and split out 'role' -> 'managed_role' & 'managing_role'? https://cdn.discordapp.com/attachments/844600078948630559/1255241948034371705/image.png?ex=667c6aa9&is=667b1929&hm=8e0b6105ffb68b7ba4203339a1bdbdad3bba4c14c735b3232a29a674daeab4eb&
with the following schema:
Copy code
definition employment {}

definition role {
    relation employment: employment
}

definition managing_role {
    relation managed_role: role

    // Helper for managing_employment to reach the employment
    permission manage = managed_role->employment
}

definition managing_employment {
    relation managing_role: managing_role

    // This expands to managing_role->managed_role->employment
    permission manage = managing_role->manage
}
with the above, I am able to make assertions around employments being able to manage other employments, but I'm curious if there's a more elegant way of modeling this that only uses "employments" and "roles" instead of having to split each out into "managed_x" and "managing_x"
j
its a bit hard to follow without some example data and checks
a
sure thing, one moment
b
hey joey! this is brian from square (we met at identiverse in coversation with jelle as well) - i'm working with alec on this project. honestly i think we'd love to hop on a call with someone who could maybe walk us through it a bit. we're attempting to establish a working demo of spicedb on this dataset for a hackweek project so time is somewhat of the essence for us πŸ™‚
i think alec's model will work but we both suspect it is suboptimal
j
sure!
you can either schedule a call here https://authzed.com/contact or, if you prefer, you can DM me and we can schedule a chat that way
b
i scheduled a call via the link - will wait for the email!
j
great!
@alec you can, if you like, click the share button in the Playground to get a link you can share with us
if it is sensitive, feel free to only give it to us during the call
b
we've been running it locally πŸ˜‰ we'll duplicate in playground for the call
or before if we get a moment
j
ah, that works too!
a
i replicated it to the shared playground: https://play.authzed.com/s/En_HoYoRaLPK/assertions
2 Views
PreviousNext
Powered by