https://authzed.com logo
#spicedb
Title
# spicedb
p

pj

12/22/2022, 10:52 AM
Hi, I have a question about a design pattern. In my application, I have some users with the rights (patient-edition or patient-access-all). With these rights, the user can access for all patients or can update the patient. I have a definition (patient) like this :
Copy code
definition patient {
    relation owner: user
    relation doctor: user
    relation technician: user

    permission read = owner + doctor + technician
    permission write = owner + doctor + technician
  }
But I would like to verify the user right inside the read / write permission. I don't know if the right must be define in the user definition or somewhere else. Is there a design pattern for user right ? thanks
v

vroldanbet

12/22/2022, 11:02 AM
👋🏻 I'm not sure I understand what you mean with "verify the user right inside the read/write permission", can you elaborate?
p

pj

12/22/2022, 12:25 PM
For exemple : - Read: owner OR doctor OR technician OR user have the right 'patient-access-all' can access of the ressource patient - Write: (owner OR doctor OR technician OR user have the right 'patient-access-all' ) AND the user have the right 'patient-edition' can update the patient. Let me know if it's more clear. thanks
The user's right (patient-edition) must be check inside the permission of the definition ?
v

vroldanbet

12/22/2022, 6:00 PM
I can think of creating a top level definition that holds those "patient-access-all" and "patient-edit-all", as if you assigned the role system-wide:
Copy code
definition platform {
    relation patient_reader: user
    relation patient_writer: user
    
    relation read: patient_reader + write
    relation write: patient_writer
  }

  definition patient {
    relation platform: platform
    relation owner: user
    relation doctor: user
    relation technician: user

    permission read = write + platform#read
    permission write = owner + doctor + technician + platform#write
  }
This way you don't assign the role on a per resource basis, but system wide. IF you ever needed to create groups of patients a user can have permission to, you can follow the same pattern: e.g you could create a
folder
definition, and add relations there that denote a user has access to all elements in the
folder
. This is essentially the same.
p

pj

12/23/2022, 7:52 AM
Ok, I see for the platform definition. Inside the platform definition. Can I set all possible user rights like this :
Copy code
definition platform {
    relation patient_reader: user
    relation patient_writer: user
    relation patient_creation: user
    relation manage_all_user: user
    relation prescription_creator
.....
   
    permission patient_read: patient_reader + write
    permission patient_write: patient_writer
.....
  }
I have lot of possible right for the users of my application. I would like to be sure where I have to store them.
v

vroldanbet

12/23/2022, 12:15 PM
yeah that sounds about right