https://authzed.com logo
Title
f

fierro

02/16/2023, 2:27 AM
suggestion for improvement in the "site wide super-admin access example"
the full example schema is
definition platform {
    relation administrator: user
    permission super_admin = administrator
}

definition organization {
  // The platform is generally a singleton pointing to the same
  // platform object, on which the superuser is in turn granted
  // access.
    relation platform: platform
    permission admin = platform->super_admin
}

definition resource {
    relation owner: user | organization
    permission admin = owner + owner->admin
}

definition user {}
my suggestion is to add another
administrator
relation on organization to make it clear that there can be org admins who are only admins of the org they belong to, whereas there can be platform wide super-admins who have all the same permissions the org admins do
so the
organization
definition would become
definition organization {
  // The platform is generally a singleton pointing to the same
  // platform object, on which the superuser is in turn granted
  // access.
    relation platform: platform
    relation administrator: user
    permission admin = administrator + platform->super_admin
}
this makes sense to me but I may have missed the intent of the example. just my two cents
v

vroldanbet

02/16/2023, 9:34 AM
πŸ‘‹πŸ»it's fair feedback, and I agree the pattern you describe is pretty common, and may be more what users may be looking for in an example like this. My guess is the example tried to capture the notion of a "top-level overarching object" that folks seem to struggle to come up with.
j

jzelinskie

02/16/2023, 6:37 PM
perhaps it's worth a PR to the examples repository? https://github.com/authzed/examples
f

fierro

02/17/2023, 3:44 AM
will put up a PR -- just wanted to make sure I didn't miss the intent or that there was a good reason for the relations absence. Confidence in schema decisions slowly rising but still fairly low. thx!