https://authzed.com logo
Powered by
Title
j

Jake

02/03/2023, 3:06 PM
Usually you have that role up to a 
platform
object with an admin role on it. You still have to have some relationship on every resource, but not for every admin. https://authzed.com/blog/schema-language-patterns/
e

erickhgm

02/03/2023, 4:14 PM
Great, It will work! Can I ignore the platform ID?
j

Joey

02/03/2023, 4:14 PM
yes
you can even have different platforms, if you like
most people use something like 
global
e

erickhgm

02/03/2023, 4:15 PM
I found this in the docs: > SpiceDB supports an optional prefix for Object Types that can be used for logically separating types when multiple tenants are using the same deployment. https://authzed.com/docs/reference/glossary#notable-differences Where can I found more about it (tenant)?
j

Joey

02/03/2023, 4:18 PM
its mostly a convention
you can name definitions like 
definition foo/sometype { ... }
e

erickhgm

02/03/2023, 4:19 PM
Ok, I got know ...
But, If I use platform ID, how can I specify the ID? 
definition resource {
    relation owner: user | organization
    permission admin = owner + owner->admin
}
In this line: 
permission admin = owner + owner->admin
, the user only can have access if he is 
owner->admin
from platform ID=1
I can have 2 admins: user1 admin in platform:1 user2 admin in platform:2
Do I have to duplicate the schema? 
platform1/resource { ... }
platform2/resource { ... }
j

Joey

02/03/2023, 4:45 PM
you'd generally have a different relation for the organization and the user
e

erickhgm

02/03/2023, 7:33 PM
I didn't understand ... I can have for example, the same system with the same schema running in different namespaces, and each namespace being accessed by a different client. MySystem1 -> Company1 MySystem2 -> Company2 Both have the same schema (because are the same system) in spicedb. With this I will have 2 admins tuples. Do I need to do that to reach this using the same spicedb instance? 
mysystem1/resource { ... }
mysystem2/resource { ... }
j

Joey

02/03/2023, 7:42 PM
> and each namespace being accessed by a different client. there is only one schema
prefixes are a naming convention only
and unless you need the resource types to be different, you should not use different prefixes
e

erickhgm

02/03/2023, 7:49 PM
What I'm trying is to have something like a tenant. MySystem1 (bussines db1) -> Company1 MySystem2 (bussines db2) -> Company2 Both are the same system, but running with its own database, they have the same schema and resource types. Do I need two instances of spicedb? One for each MySystem instance.
j

Joey

02/03/2023, 8:00 PM
if you want them to be completely isolated, yes
e

erickhgm

02/03/2023, 8:15 PM
In my case I don't need it, doesn't make sense to create a new spicedb replica for each new client/system instance. I understand that I can have a 
platform:1#admin#user:1
and 
platform:2#admin#user:2
But if I use the schema below, I will have resources from 
platform:1
and 
platform:2
in the database. For example, 
resource:1
is from 
platform1
and 
resource:2
is from 
platform2
So, if I check 
resource:1#admin#user:1
I will get true (its ok, 
user:1
and 
resource:1
are from the same platform) But if I check 
resource:2#admin#user:1
I will get true (its not ok, 
user:1
is from the 
platform:1
and 
resource:2
is from 
platform:2
) 
definition user {}
definition platform {
    relation administrator: user
    permission super_admin = administrator
}
definition organization {
    relation platform: platform
    permission admin = platform->super_admin
}
definition resource {
    relation owner: user | organization
    permission admin = owner + owner->admin
}
j

Joey

02/03/2023, 8:47 PM
that's only true if you link the resources' parent organization(s) both to the same platform
d

dsieczko

02/04/2023, 11:13 AM
Hi @erickhgm - just wanted to make sure you got the answers you're looking for here?
e

erickhgm

02/10/2023, 2:06 AM
Yes, I'm a little busier this week, so I didn't took the channel...
2 Views
#spicedbJoin Discord
Powered by