https://authzed.com logo
Join Discord
Powered by
Hi folks! I have a question about
# spicedb
s
Hi folks! I have a question about modeling memberships in the schema. A user can have a membership to a business. We've been debating between having membership as a separate definition, or just having it as a relation between a member and a business. 🧵
The issue we're encountering it for the 
delete_membership
permission. A membership can either be deleted by a member or by the business admin of the business. Without modeling the membership as its own object, we could define the 
delete_membership
permission on either the business object or the member object, but there are issues with both: * If it's defined in the business, then we don't know which user's membership is being deleted, so a user could delete another user's membership. * If it's defined in the member, we don't know which business the membership corresponds to, so an admin of a business may delete a member's membership to another business
Schema with membership as a separate definition:
Copy code
definition user {
    relation self: user
}

definition business {
    relation membership: user
    relation admin: user
}


definition membership {
    relation member: user
    relation business: business

    permission delete_membership: member + business->admin
}
Schema with 
delete_membership
on the business definition:
Copy code
definition business {
    relation admin: user
    relation membership: user
    //...
    permission delete_membership: admin + user // ???
}
Schema with 
delete_membership
on the member defintion:
Copy code
definition user {
  relation self: user
  relation membership: business
  //...
  permission delete_membership: self + membership->business_admin
}
y
i think that modeling a 
membership
as its own entity makes sense to me if it's treated as an entity unto itself by your system
do you have concerns with that approach?
s
I don't think we have concerns per se, we just wanted to make sure we weren't missing some nuance about modeling entities in this way without needing a separate entity. Sounds like this is the way to go then. Thank you!
y
sure thing!
PreviousNext
Powered by