at some point you need to define base permissions ...
# spicedbj
Joey
12/29/2022, 8:22 PMat some point you need to define base permissions to check
s
Singha1
12/29/2022, 8:34 PMHi Joye, I used the example you shared, here is my Schema https://play.authzed.com/s/nKyMjOrVUVvB/schema
Singha1
12/29/2022, 8:36 PMChallenge I have with this approach is, I will have to know all possible type of relations to avoid schema change in future. Is there anyway we can make relations also user defined so that no change (or least change) is required in future?
j
Joey
12/29/2022, 9:03 PMwhy not just add more when you need them?
s
Singha1
12/29/2022, 9:12 PMAs schema change is sensitive and want to keep the governance overhead as low as possible.
Singha1
12/29/2022, 9:13 PMThink, if multiple application using same schema file and using namespace for isolation.
j
Joey
12/29/2022, 9:32 PMstill, if you're adding new relations you should be... adding new relations
Joey
12/29/2022, 9:32 PMotherwise you're losing all forms of type safety and optimizations
s
Singha1
12/30/2022, 5:32 AMI get your point, but we have varied set of requirements, one way to achieve this I have is, https://play.authzed.com/s/D-WcA5DQlWy6/relationships I created a abstract object called permission_set, and assign this abstract object to Group or Role or User, only concern with this is, At time of making permission check , multiple hits would be required. Permission looks like this, Can Store_Owner has Search Access on Case?
j
Joey
12/30/2022, 5:58 AMyes, it works, in so much as you can define a schema that does it
Joey
12/30/2022, 5:58 AMbut as you said, it requires multiple checks and its going to be highly negative performance wise
Joey
12/30/2022, 5:58 AMnot to mention, by being completely dynamic, you'll have essentially no way to validate it
s
Singha1
12/30/2022, 9:09 AMGood Point, thanks Joey, I get that !
4 Views