https://authzed.com logo
Powered by
Title
d

dsieczko

12/05/2022, 2:31 PM
Hi @costap - I believe this is what you're looking for 
definition user {}

definition organization {
  relation member: user

  permission view_all_contracts = member
}

definition contract {
  relation owner: organization

  permission view = organization->view_all_contracts
}
Hi @costap
Sorry - I meant to start a thread
c

costap

12/05/2022, 2:54 PM
Hi @dsieczko thanks for this, is a bit different that though, at the moment I have something like 
definition user {}

definition organization {
  relation member: user
  relation contract_owner: organization

  permission edit_documents = contract_owner->member
  permission view_documents = member + contract_owner->member
}

definiton document {
  relation organization: organization
}
as in the documents can be created for a org but but only the members of the contract owner can say edit documents while if the org doesn't own the contract they can only view.
is just that most times the org is also a contract owner, so endup with a self relation, while a few orgs have other orgs as contract owner
instead i was looking to see if could say "if this org is a contract owner and the user is a member then they can edit if the org is not a contract owner they can only view
d

dsieczko

12/05/2022, 3:15 PM
gotcha 
definition user {}

definition organization {
  relation member: user

  permission view_all_contracts = member
}

definition contract {
  relation owner: organization
  relation guest_access: user | user:*

  permission view = guest_access + owner->view_all_contracts
  permission edit = guest_access & owner->view_all_contracts
}
The interesection operator (&) will solve for this i belive
hmm actually sorry i'm re reading your statement
yea that should do it
but you may not need the owner->view_all_contracts on the view permission
after some internal discussion - to be more semantically correct i updated "viewer" to "guest_access"
c

costap

12/05/2022, 4:48 PM
thanks @dsieczko trying to make sense of it 🙂
d

dsieczko

12/05/2022, 4:57 PM
sure thing! let me know if you have any questions
you've played around with the playground ?
https://play.authzed.com/
c

costap

12/05/2022, 5:29 PM
yep I have 🙂 great tool!
I suppose what i'm missing is how do I plug this into the organization resources, like documents in my case
as what i need to verify is permissions on those resources rather then the contract
and i would like to avoid linking all resources to the owner of contract org and the they already liked through the orgs
d

dsieczko

12/05/2022, 5:52 PM
sorry can you breakdown all of the objects you need to define?
Hi @costap! Let me know if you have any other schema questions - happy to help!
c

costap

12/07/2022, 10:15 AM
Hi @dsieczko Im sorry i didn't get back to you. I wanted to put up a basic example in playground and share but other things got on the way yesterday. will share something soon
https://play.authzed.com/s/Gfw7hw4wPhbn/relationships
d

dsieczko

12/07/2022, 9:53 PM
Thanks @costap ! Have a look at this https://play.authzed.com/s/5PXE00W2RX_U/schema
Also @costap take a look at this one my colleague put together https://play.authzed.com/s/phQvCwMqYfpb/schema
c

costap

12/08/2022, 11:16 AM
Thanks! This will work, I think i was trying to see if there was a way to avoid linking the owner to every doc and is only the same for each guest org, if that makes sense
d

dsieczko

12/09/2022, 5:33 PM
Hey! Sorry - this thread got lost for me.
A doc will always have an owner right?
#spicedbJoin Discord
Powered by