An organization has employee and Manager.
Employee has confidential and public data.
Employee can view, edit and access his data.
Employee's direct manager can view and access his/her confidential data.
Anyone in organization can view anyone's public data data.
definition employee {
relation direct_manager: employee
permission access = direct_manager
}
definition confidential_employee_data {
relation owner: employee
permission own = owner
permission access = owner + owner->access
}
definition public_employee_data {
relation owner: employee
relation viewer: employee:*
permission own = owner
permission view = viewer
}
Test Relationships
confidential_employee_data:jake_address#owner@employee:jake
employee:jake#direct_manager@employee:jimmy
confidential_employee_data:david_address#owner@employee:david
employee:david#direct_manager@employee:peter
public_employee_data:david_name#viewer@employee:*
public_employee_data:peter_name#viewer@employee:*
public_employee_data:david_name#owner@employee:David