Jake
02/03/2023, 3:06 PMplatform
object with an admin role on it. You still have to have some relationship on every resource, but not for every admin. https://authzed.com/blog/schema-language-patterns/erickhgm
02/03/2023, 4:14 PMJoey
02/03/2023, 4:14 PMglobal
erickhgm
02/03/2023, 4:15 PMJoey
02/03/2023, 4:18 PMdefinition foo/sometype { ... }
erickhgm
02/03/2023, 4:19 PMdefinition resource {
relation owner: user | organization
permission admin = owner + owner->admin
}
In this line: permission admin = owner + owner->admin
, the user only can have access if he is owner->admin
from platform ID=1platform1/resource { ... }
platform2/resource { ... }
Joey
02/03/2023, 4:45 PMerickhgm
02/03/2023, 7:33 PMmysystem1/resource { ... }
mysystem2/resource { ... }
Joey
02/03/2023, 7:42 PMerickhgm
02/03/2023, 7:49 PMJoey
02/03/2023, 8:00 PMerickhgm
02/03/2023, 8:15 PMplatform:1#admin#user:1
and platform:2#admin#user:2
But if I use the schema below, I will have resources from platform:1
and platform:2
in the database.
For example, resource:1
is from platform1
and resource:2
is from platform2
So, if I check resource:1#admin#user:1
I will get true (its ok, user:1
and resource:1
are from the same platform)
But if I check resource:2#admin#user:1
I will get true (its not ok, user:1
is from the platform:1
and resource:2
is from platform:2
)
definition user {}
definition platform {
relation administrator: user
permission super_admin = administrator
}
definition organization {
relation platform: platform
permission admin = platform->super_admin
}
definition resource {
relation owner: user | organization
permission admin = owner + owner->admin
}
Joey
02/03/2023, 8:47 PMdsieczko
02/04/2023, 11:13 AMerickhgm
02/10/2023, 2:06 AM