@user
annotation on both ends, and by the @group#member
and @group#manager
annotations on the ends corresponding to the group member and manager relations.
viewer: A relationship between users who are authorized to view the document. This relationship is defined by the @user
annotation on one end and the @group#member
and @group#manager
annotations on the other end corresponding to the group entity member and manager relations.
The document entity has two actions defined:
@user
annotation on both ends, and by the @group#member
and @group#manager
annotations on the ends corresponding to the group entity member and manager.
direct_member: A relationship between users who are members of the group. This relationship is defined by the @user
annotation on one end and the @group#member
and @group#manager
annotations on the other end corresponding to the group entity member and manager.
The group entity has one action defined:
@group
annotation on the end corresponding to the group entity.
document: A relationship between the organization and its document. This relationship is defined by the @document
annotation on the end corresponding to the group entity.
administrator: A relationship between users who are authorized to manage the organization. This relationship is defined by the @user
annotation on both ends, and by the @group#member
and @group#manager
annotations on the ends corresponding to the group entity member and manager.
direct_member: A relationship between users who are directly members of the organization. This relationship is defined by the @user
annotation on the end corresponding to the user entity.
The organization entity has two permissions defined:
can user:ashley edit document:product_database ?
user:ashley
has any direct or indirect manager relation within document:product_database
. Consecutively it will check does user:ashley
has admin relation in the Acme Org - organization:acme#document@document:product_database
.Ashley doesn’t have any administrative relation in Acme Org but she is the manager in group tech (group:tech#manager@user:ashley
) and we have defined that manager of group tech is manager of product_database with the tuple (document:product_database#manager@group:tech#manager
). Therefore, the user:ashley edit document:product_database check request should yield true response.can user:joe view document:hr_documents ?
user:joe
has any direct or indirect manager or viewer relation within document:hr_documents
. Also consecutively it will check does user:joe
has admin relation in the Acme Org - organization:acme#document@document:hr_documents
.Joe doesn’t have administrative role/relation in Acme Org.Also he doesn’t have have manager relationship in that document or within any entity.But he is member in the hr group (group:hr#member@user:joe
) and we defined hr members have viewer relationship in hr documents (document:hr_documents#viewer@group:hr#member
). So that, this enforcement should yield true response.can user:david view document:marketing_materials ?
user:david
has any direct or indirect manager or viewer relation within document:marketing_materials
. Also consecutively it will check does user:david
has admin relation in the Acme Org - organization:acme#document@document:marketing_materials
.Similar Joe and Ashley, David also doesn’t have administrative role/relation in Acme Org.Also David doesn’t have member or manager relationship related with marketing group - document:marketing_materials
. So that, this enforcement should yield false response.make serve
.
permify validate {path of your schema validation file}
to start the test process.
The validation result according to our example schema validation file: