https://authzed.com logo
Join Discord
Powered by
suggestion for improvement in the "site wide super...
# spicedb
f
suggestion for improvement in the "site wide super-admin access example"
the full example schema is
Copy code
definition platform {
    relation administrator: user
    permission super_admin = administrator
}

definition organization {
  // The platform is generally a singleton pointing to the same
  // platform object, on which the superuser is in turn granted
  // access.
    relation platform: platform
    permission admin = platform->super_admin
}

definition resource {
    relation owner: user | organization
    permission admin = owner + owner->admin
}

definition user {}
my suggestion is to add another 
administrator
relation on organization to make it clear that there can be org admins who are only admins of the org they belong to, whereas there can be platform wide super-admins who have all the same permissions the org admins do
so the 
organization
definition would become
Copy code
definition organization {
  // The platform is generally a singleton pointing to the same
  // platform object, on which the superuser is in turn granted
  // access.
    relation platform: platform
    relation administrator: user
    permission admin = administrator + platform->super_admin
}
this makes sense to me but I may have missed the intent of the example. just my two cents
v
πŸ‘‹πŸ»it's fair feedback, and I agree the pattern you describe is pretty common, and may be more what users may be looking for in an example like this. My guess is the example tried to capture the notion of a "top-level overarching object" that folks seem to struggle to come up with.
j
perhaps it's worth a PR to the examples repository? https://github.com/authzed/examples
f
will put up a PR -- just wanted to make sure I didn't miss the intent or that there was a good reason for the relations absence. Confidence in schema decisions slowly rising but still fairly low. thx!
PreviousNext
Powered by