Hi <@897100069558452274> - I believe this is what...
# spicedb
d
Hi @costap - I believe this is what you're looking for
Copy code
definition user {}

definition organization {
  relation member: user

  permission view_all_contracts = member
}

definition contract {
  relation owner: organization

  permission view = organization->view_all_contracts
}
Hi @costap
Sorry - I meant to start a thread
c
Hi @dsieczko thanks for this, is a bit different that though, at the moment I have something like
Copy code
definition user {}

definition organization {
  relation member: user
  relation contract_owner: organization

  permission edit_documents = contract_owner->member
  permission view_documents = member + contract_owner->member
}

definiton document {
  relation organization: organization
}
as in the documents can be created for a org but but only the members of the contract owner can say edit documents while if the org doesn't own the contract they can only view.
is just that most times the org is also a contract owner, so endup with a self relation, while a few orgs have other orgs as contract owner
instead i was looking to see if could say "if this org is a contract owner and the user is a member then they can edit if the org is not a contract owner they can only view
d
gotcha
Copy code
definition user {}

definition organization {
  relation member: user

  permission view_all_contracts = member
}

definition contract {
  relation owner: organization
  relation guest_access: user | user:*

  permission view = guest_access + owner->view_all_contracts
  permission edit = guest_access & owner->view_all_contracts
}
The interesection operator (&) will solve for this i belive
hmm actually sorry i'm re reading your statement
yea that should do it
but you may not need the owner->view_all_contracts on the view permission
after some internal discussion - to be more semantically correct i updated "viewer" to "guest_access"
c
thanks @dsieczko trying to make sense of it 🙂
d
sure thing! let me know if you have any questions
you've played around with the playground ?
c
yep I have 🙂 great tool!
I suppose what i'm missing is how do I plug this into the organization resources, like documents in my case
as what i need to verify is permissions on those resources rather then the contract
and i would like to avoid linking all resources to the owner of contract org and the they already liked through the orgs
d
sorry can you breakdown all of the objects you need to define?
Hi @costap! Let me know if you have any other schema questions - happy to help!
c
Hi @dsieczko Im sorry i didn't get back to you. I wanted to put up a basic example in playground and share but other things got on the way yesterday. will share something soon
d
Thanks @costap ! Have a look at this https://play.authzed.com/s/5PXE00W2RX_U/schema
Also @costap take a look at this one my colleague put together https://play.authzed.com/s/phQvCwMqYfpb/schema
c
Thanks! This will work, I think i was trying to see if there was a way to avoid linking the owner to every doc and is only the same for each guest org, if that makes sense
d
Hey! Sorry - this thread got lost for me.
A doc will always have an owner right?