Looking for help with the schema cannot find this in docs `` SpiceDB #spicedb

Looking for help with the schema, cannot find this...

andvla

09/19/2022, 10:59 AM

Looking for help with the schema, cannot find this in docs:

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user

  permission manage = administration_director + sales_director
}

definition company {
  relation unit: unit
}

definition order {
  relation company: company

  permission update = company->unit->manage
}

I have this schema, it is invalid due to no support for double arrows

company->unit->manage

Is there a way for me to set permission on order level based on the permission in unit?

vroldanbet

09/19/2022, 11:05 AM

hi! the usual way to address the lack of nested arrows is to create "proxy permissions"

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user

  permission manage = administration_director + sales_director
}

definition company {
  relation unit: unit
  
  permission manage = unit->manage
}

definition order {
  relation company: company

  permission update = company->manage
}

andvla

09/19/2022, 11:12 AM

So proxy is the only way to solve it, or do I have other options? I'm slightly worried, as we have about 15 user roles, where for some permissions I'll need to do this:

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user

  permission manage = administration_director + sales_director
}

definition company {
  relation unit: unit

  permission manage = unit->manage
}

definition order {
  relation company: company
  
  permission update = company->manage
  permission delete = company->unit->administration_director // This doesn't rely on permission from unit but a user roles instead
}

andvla

09/19/2022, 11:14 AM

With the proposed solution, do I have any other options than this?

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user
  
  permission manage = administration_director + sales_director
}

definition company {
  relation unit: unit

  permission manage = unit->manage
  permission sales_director = unit->sales_director
}

definition order {
  relation company: company
  
  permission update = company->manage
  permission delete = company->sales_director
}

vroldanbet

09/19/2022, 11:16 AM

hrm, you are turning a role into a permission here. It would suggest to think in terms of actions that can be authorized instead of how the permission is implemented

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user
  
  permission manage = administration_director + sales_director
  permission delete = sales_director
}

definition company {
  relation unit: unit

  permission manage = unit->manage
  permission delete = unit->delete
}

definition order {
  relation company: company
  
  permission update = company->manage
  permission delete = company->delete
}

andvla

09/19/2022, 11:18 AM

sales_director in our case is not allowed to delete a unit nor company. Order is the first thing in this structure we allow to delete.

vroldanbet

09/19/2022, 11:21 AM

then turn it into a permission that better represents what the sales director can do on the unit, like

manage_sales

manage_unit

Copy code

definition unit {
  relation administration_director: user
  relation sales_director: user
  
  permission manage = administration_director + sales_director
  permission finances = sales_director
}

definition company {
  relation unit: unit

  permission manage = unit->manage
  permission finances = unit->finances
}

definition order {
  relation company: company
  
  permission update = company->manage
  permission delete = company->finances
}

vroldanbet

09/19/2022, 11:27 AM

at the end of the day is a question of naming that captures the business intent. I do understand it can be easier to reason to implement the permission in terms of "who can actually perform the operation" in this particular case

vroldanbet

09/19/2022, 11:29 AM

maybe orders should be associated with units?

vroldanbet

09/19/2022, 11:29 AM

company has units, units has sales?

andvla

09/19/2022, 11:30 AM

Ok, thanks for the suggestion. So there's nothing I can improve about the schema in order to not have to do it this way? Maybe my role assignment for the users within a unit can be done differently in order to simplify it?

andvla

09/19/2022, 11:30 AM

in our case every unit has multiple companies, each company can have orders, each order has invoices and so on

andvla

09/19/2022, 11:31 AM

having this schema allows us to move companies between the units, without a need to relink all the children of a company to something else

andvla

09/19/2022, 11:32 AM

in case we start relating all the children directly to the unit, each company-unit relation update will require bunch of other relations to be updated

vroldanbet

09/19/2022, 11:34 AM

so yeah, however you name it, if you have a 3 level hierarchy like yours, you need a proxy permission. Feel free to bump the nested arrows issue if you feel this is a problem for y'all https://github.com/authzed/spicedb/issues/15

andvla

09/19/2022, 11:36 AM

that would save us lots of rows in schema for sure, thanks for this URL and for all the suggestions above!

2 Views

Previous Next