Skip to main content
Explore Mercury’s Authorization Schema in this example, delving into the intricate interplay among users, organizations, and accounts. Uncover the defined user roles, approval workflows, and limits, providing a snapshot of the dynamic relationships within the Mercury ecosystem. For those who don’t know, Mercury is a bank offering both checking and savings accounts, complete with debit and credit card features. Given the delicate nature of financial transactions, Mercury has built-in access control features to ensure security. But today we’re going to focus on approvals. Mercury allows it’s users to set a number amount for multiple user approval for any action. For instance, an admin can decide that withdrawals above $1000 by members require approval from two designated approvers. This means, if a member wants to withdraw more than $1000, they need a green light from two admin. And if an admin tries to withdraw they need an approval form another admin.
  • Admin → Withdraw $1000 → needs an approver
  • Member → Withdraw $1000 → needs 2 approvers.

Full Schema | Open in playground

So let’s start with building basics. We need Users, Organization, Accounts both Savings and Deposits as entities in the mercury
entity user {}

entity organization {}

entity teams {}

entity accounts {}
Then inserting relations into these entities.
entity user {}

entity organization {
	relation admin @user
	relation member @user
}

entity accounts {
	relation checkings @accounts
	relation savings @accounts

	relation org @organization
}
Next step is to define actions in our use case.
entity user {}

entity organization {
    relation admin @user
    relation member @user
}

entity account {

    relation checkings @account
    relation savings @account

    relation org @organization

    action withdraw =

}
Now we need to define our attributes which will help us create access rights via Withdraw Limit and Admin Approval of the account. Every organization has a set withdrawal limit. Additionally, for members and admins of the organization, there are specific approval limits in place when they attempt to withdraw amounts exceeding this limit.
entity user {}

entity organization {
    relation admin @user
    relation member @user
}

entity account {

    relation checkings @account
    relation savings @account

    relation org @organization

    attribute approval integer
    attribute balance double

    action withdraw =

}
Let’s create our rules that defines our attribute-based access rights.
  • Balance of the account must be more than withdraw amount
  • If withdraw amount is less than the withdraw limit we don’t need approval
  • Else; we need approve of two admins if we’re member, and we need approve of single admin if we’re another admin.
entity user {}

entity organization {
    relation admin @user
    relation member @user

    attribute admin_approval_limit integer
    attribute member_approval_limit integer
    attribute approval_num integer

    action approve = admin
    action create_account = admin

    permission approval = (member and check_member_approval(approval_num, member_approval_limit)) or (admin and check_admin_approval(approval_num, admin_approval_limit))
}

entity account {
    relation checkings @account
    relation savings @account

    relation owner @organization
    
    attribute withdraw_limit double
    attribute balance double 

    action withdraw = check_balance(balance, request.amount) and (check_limit(withdraw_limit, request.amount) or owner.approval)
}

rule check_balance(balance double, amount double) {
    balance >= amount
}

rule check_limit(withdraw_limit double, amount double) {
    withdraw_limit >= amount 
}

rule check_admin_approval(approval_num integer, admin_approval_limit integer) {
    approval_num >= admin_approval_limit
}

rule check_member_approval(approval_num integer, member_approval_limit integer) {
    approval_num >= member_approval_limit
}
At last, as you can see we use the Rules to define access rights to withdraw which basically translates into;
  • Check balance if it’s over the withdraw amount. If not don’t allow the action.
  • Check withdraw limit; if it’s less than the limit allow the action…
  • Else;
    • Check if user is admin, and have approval more than the approval limit for admins.
    • Check if user is member, and have approval more than the approval limit for members.

Need any help ?

This is the end of demonstration of the authorization structure for Facebook groups. To install and implement this see the Set Up Permify section.
I