https://authzed.com logo
Join Discord
Powered by
this should be wrong here , because i
# spicedb
d
this should be wrong here , because i want and have added in my relations user:josh as APPROVER for ad_account:TUK-PARLE for module:measurement only. but here in check watches its also allowing for the user:josh as APPROVER for ad_account:TUK-DOVE for module:measurement( but user:josh was assigned as APPROVER for module BOOKING in this), which should not be the case and there should be cross❌ , where i have marked in image. https://cdn.discordapp.com/attachments/844600078948630559/1348891325151449160/image.png?ex=67d11c71&is=67cfcaf1&hm=667d71ba1713e370faedce9b80ce6494623091ac640aa564b010cba9b79d727d&
k
the last relationship defined in the image says that 
user:josh
is 
approver
of 
module:measurement
which should be, and is true in check watches (the case you are highlighting) am I missing something here?
d
yes but that
Copy code
user:josh
is
Copy code
approver
of
Copy code
module:measurement
is of
Copy code
tuk-parle
, but here if you see check watches from the top to bottom , i have followed a series of checks to get to that last level ,so it should not be true for the
Copy code
tuk-dove
k
I think that each row under the check watch performs a check independently regardless the previous one, since in that particular check no 
ad_account
is provided hence it does not interpret the parent definition, also since the last relation is exactly what the check is looking for it comes out to be true, you can maybe try nested perms/relations for performing a check for 
tuk-dove
j
correct
if there exists any valid path from the resource+permission to the subject, the permission is true
you can't declare a subject added to a single module only; if you want the permission checks to be based on the module, you'll need to either check for that module, or have the subject be a "module_user" or something like that
d
can you write an ag what can i add in schema for nested rel/perm?
exactly , so to differentiate the user for particular adaccount and the modules roles , i have only option to define it like this - module_user or can we do anything else?
j
that's the suggestion
use a different subject type if you need it
d
subject type as in
?
j
module_user
k
maybe use something like
Copy code
definition ad_account {
    relation module_user:  module#approver
}
and then some rels like
Copy code
ad_account:tak#module_user@module:measurement#approver
module:measurement#approver@user:josh
then the perm check for subject 
user:josh
with 
module_user
for 
ad_account_tak
comes to be true
also lookup https://github.com/authzed/examples/tree/main/schemas for understanding schema modelling in depth
also note that this can be done in different ways
d
so if i want to have the check permission so , how does this spicedb checks it , does it check in the format of hierarchy based(ie from top level to bottom layer ) or just directly checks access for that layer , as here it is defined in my schema from ``platform`` to the ``module`` level,?? @kartikay @Joey
@kartikay also can we connect once if you can help me to form the schema/rels
k
It walks on a graph based on the rels and the overall schema you defined to perform checks. On a side note you can hop in my dm for any more queries, happy to help.
d
yeah i have dm you
PreviousNext
Powered by