entity user {}
entity organization {
// roles
relation admin @user
relation member @user
relation manager @user
relation agent @user
}
entity file {
// file-specific relations
relation owner @user
relation org @organization
relation vendor @vendor
// file-specific permissions
permission view = org.admin or org.manager or (org.member not org.agent) or owner
permission edit = org.admin or org.manager or owner
permission delete = org.admin or owner
}
entity vendor {
// vendor-specific relations
relation primary_contact @user
relation org @organization
// vendor-specific permissions
permission manage = org.admin or org.agent
permission view = org.admin or org.manager or org.agent or primary_contact
}