https://authzed.com logo
Join Discord
Powered by
schema question: docs say ```Relations can also "...
# spicedb
f
schema question: docs say
Copy code
Relations can also "contain" references to other relations/permissions.

For example, a group's member relation might include the set of objects marked as member of another group, indicating that the other group's members are, themselves, members of this group:

definition user {}

definition group {
    /**
     * member can include both users and *the set of members* of other specific groups.
     */
    relation member: user | group#member
}
how would you represent a relation that is a composite of other relations defined on the same object. That example is effectively saying "a member of this group can be a user or a member of another group" I want to express something like the following:
Copy code
definition container {
    relation viewer: user
    relation writer: user
    relation member: viewer | writer
}
I want a member to be defined as the union of the set of viewers and writers on this and only this object I could obviously do
Copy code
definition container {
    relation viewer: user
    relation writer: user
    relation member: container#viewer | container#writer
}
but I don't want it to be true that any other container's viewer could be a member of this container
j
permission member = viewer+ writer
if it’s always the case
If not, the design above is the best approach
f
yeah was hoping to avoid modeling 
member
as a permission, since it's not really a capability, rather a relationship
j
well, it is a relationship
its just a synthetic one
which is what a 
permission
is
f
hmm ok. It's not intuitively clicking for me why supporting 
relation member: container#viewer | container#writer
either isn't feasible, wouldn't be a good idea if it were feasible, or is just nonsensical haha
j
you can do that
its supported
but it can be any container
and if it is just saying "member is viewer and writer"
then that's what permission is for
f
woops sorry, yeah I meant 
relation member: viewer | writer
, the version that would be "scoped" to the current container. But ok, sounds like I need to update my mental model of the difference between relations and permissions.
j
a 
relation
is a defined data-based relationhip
a 
permission
is a synthetic relationship
f
ok I think I get it! A permission is a computed set of concrete relationships. A relation merely defines the blueprint for which types can relate to other types. I was confused because I was thinking of permission as a synonym for "capability" or "action" when it's actually just a label for a set of relationships, which is what I was trying to express via 
relation member: viewer | writer
j
yeah
we named it 
permission
because that's how it is commonly used
permission is_member = viewer + writer
would be more accurate naming
and with that name, it makes sense: a user is_member if they are a viewer or writer
f
makes sense. ty sir
5 Views
PreviousNext
Powered by