given the example schema for the "site-wide super admin example"

definition platform { relation administrator: user permission super_admin = administrator } definition organization { relation platform: platform permission admin = platform->super_admin } definition resource { relation owner: user | organization permission admin = owner + owner->admin } definition user {}

question: The `->`operator is used to walk the hierarchy of relations to compute the

owner->admin

permission.

owner

in this case is defined as

user | organization

. My question is around whether this is a good practice or not when the subject, as in this case, is a comprised of multiple objects which may not all have that

admin

permission. In this case, there is no permission

admin

defined on

user

, so the

owner->admin

computed permission really only applies to

organizations

, but this modeling detail is not codified anywhere. Seems weird/potentially bad?

however, if you expect all resources to have an org

I'd recommend creating a distinct relation for it

I'm still gathering data around what good schema design techniques/implementations look like, and this one threw me off

in this case the organization isn't really the owner if a user is too

unless you also want to check if the org is

admin

too, itself