I'm a bit confused about when to enumerate relations in a union vs create a synthetic relation. It seems like when I add a new relation to group (writer here), I would need to add it to all the other places where the group relations are listed out. I'm hoping this iteration is getting closer...?

definition user {}

definition group {
  // recursive groups
  relation parent: group

  // role assignments
  relation owner: user | group#member | group#writer | group#owner
  relation writer: user | group#member | group#writer | group#owner
  relation member: user | group#member | group#writer | group#owner

  // for crossing over resource types?
  permission membership = owner + writer + member + parent->membership

  // permissions over the group
  permission admin = owner + parent->admin
  permission write = writer + admin + parent->write
  permission read = member + write + parent->read
}

definition folder {
  // recursive folders
    relation parent: folder

  // role assignments
  relation owner: user | group->membership
  relation editor: user | group->membership
  relation reviewer: user | group->membership
  relation commenter: user | group->membership
  relation reader: user | group->membership

  // owner like things
  permission admin = owner + parent->admin // orgs do not have the admin permission

  // editor like things
  permission write = editor + admin + parent->write

  // reviewer like things
  permission feedback = reviewer + write + parent->feedback

  // limit who can comment
  permission comment = commenter + feedback + parent->comment

  // read only
  permission read = reader + comment + parent->read
}