Hi I have a question about a design pattern In my applicatio SpiceDB #spicedb

Hi, I have a question about a design pattern. In m...

12/22/2022, 10:52 AM

Hi, I have a question about a design pattern. In my application, I have some users with the rights (patient-edition or patient-access-all). With these rights, the user can access for all patients or can update the patient. I have a definition (patient) like this :

Copy code

definition patient {
    relation owner: user
    relation doctor: user
    relation technician: user

    permission read = owner + doctor + technician
    permission write = owner + doctor + technician
  }

But I would like to verify the user right inside the read / write permission. I don't know if the right must be define in the user definition or somewhere else. Is there a design pattern for user right ? thanks

vroldanbet

12/22/2022, 11:02 AM

👋🏻 I'm not sure I understand what you mean with "verify the user right inside the read/write permission", can you elaborate?

12/22/2022, 12:25 PM

For exemple : - Read: owner OR doctor OR technician OR user have the right 'patient-access-all' can access of the ressource patient - Write: (owner OR doctor OR technician OR user have the right 'patient-access-all' ) AND the user have the right 'patient-edition' can update the patient. Let me know if it's more clear. thanks

12/22/2022, 12:27 PM

The user's right (patient-edition) must be check inside the permission of the definition ?

vroldanbet

12/22/2022, 6:00 PM

I can think of creating a top level definition that holds those "patient-access-all" and "patient-edit-all", as if you assigned the role system-wide:

Copy code

definition platform {
    relation patient_reader: user
    relation patient_writer: user
    
    relation read: patient_reader + write
    relation write: patient_writer
  }

  definition patient {
    relation platform: platform
    relation owner: user
    relation doctor: user
    relation technician: user

    permission read = write + platform#read
    permission write = owner + doctor + technician + platform#write
  }

vroldanbet

12/22/2022, 6:01 PM

This way you don't assign the role on a per resource basis, but system wide. IF you ever needed to create groups of patients a user can have permission to, you can follow the same pattern: e.g you could create a

folder

definition, and add relations there that denote a user has access to all elements in the

folder

. This is essentially the same.

12/23/2022, 7:52 AM

Ok, I see for the platform definition. Inside the platform definition. Can I set all possible user rights like this :

Copy code

definition platform {
    relation patient_reader: user
    relation patient_writer: user
    relation patient_creation: user
    relation manage_all_user: user
    relation prescription_creator
.....
   
    permission patient_read: patient_reader + write
    permission patient_write: patient_writer
.....
  }

I have lot of possible right for the users of my application. I would like to be sure where I have to store them.

vroldanbet

12/23/2022, 12:15 PM

yeah that sounds about right

Previous Next