top | item 33912064

(no title)

Keverw | 3 years ago

I was just skimming over real quick but don’t have to either to read the whole thing. One thing that stood out, is a group can hold another group. So I guess if you had a role like tech support, web development, financial, etc you could make a CEO role that includes the permissions within those other roles? If I am reading that right, never thought about that though. Kinda neat as role reusability.

discuss

jschorr|3 years ago

Yep! Groups can be easily nested under one another by simply creating a relationship between the group's members and the members of another group.

In SpiceDB [0] schema this can be represented like so:

  definition group {
    relation member: user | group#member
  }

Here `member` allows a relationship to itself, which allows writing a relationship saying that every member of one group is a member of the containing group.

I threw together an example in our playground [1], if you'd like to try it out!

[0]: https://github.com/authzed/spicedb [1]: https://play.authzed.com/s/9D5h9I7mE9mK/schema

oh_sigh|3 years ago

Not only inclusion, but other operators as well, such as negation, so you can say

  CanAccessAmericanSecrets = AllSREs - EmployeesInEnemyState

(or whatever)

rad_gruchalski|3 years ago

No idea why you are getting downvoted. You are correct. The white paper section 2.3. Talks exactly about that. The namespace configuration pseudo-code show exactly how this is written. Took me over a year to arrive at this conclusion.