Let’s modify the global roles schema to represent resource-specific roles. Basically we include a new file entity and define specific permissions for it. Here’s an updated version of the schema: 
entity user {}

entity organization {
    // roles
    relation admin @user
    relation member @user
    relation manager @user
    relation agent @user
}

entity file {
    // file-specific relations
    relation owner @user
    relation org @organization
    relation vendor @vendor

    // file-specific permissions
    permission view = org.admin or org.manager or (org.member not org.agent) or owner
    permission edit = org.admin or org.manager or owner
    permission delete = org.admin or owner
}

entity vendor {
    // vendor-specific relations
    relation primary_contact @user
    relation org @organization
    
    // vendor-specific permissions
    permission manage = org.admin or org.agent
    permission view = org.admin or org.manager or org.agent or primary_contact
}
This model defines several entities and their relationships, permissions, and actions. Let’s break it down:

User Entity

This is a basic entity with no defined relations or permissions.

Organization Entity

  • Defines four roles: admin, member, manager, and agent.
  • These are represented as relations to the user entity.

File Entity

Relations

  • owner: relates to a user
  • org: relates to an organization
  • vendor: relates to a vendor

Permissions

  • view: granted to org admins, managers, members (excluding agents), or the file owner
  • edit: granted to org admins, managers, or the file owner
  • delete: granted to org admins or the file owner

Vendor Entity

Relations

  • org: relates to an organization
  • primary_contact: relates to a user

Permissions

  • manage: granted to org admins or agents
  • view: granted to org admins, managers, or agents