Organization Hierarchies
Following schema demonstrates a hierarchical structure (Organization > Department > Project) with inherited permissions.
Each level has its own specific roles (admin/member, manager, lead) that grant certain permissions, while also inheriting permissions from the level above.
Before breaking down, lets provide the completed schema:
entity user {}
entity organization {
relation admin @user
relation member @user
action view = admin or member
action edit = admin
}
entity department {
relation parent @organization
relation manager @user
action view = parent.view or manager
action edit = parent.edit or manager
}
entity project {
relation parent @department
relation lead @user
action view = parent.view or lead
action edit = parent.edit or lead
}
Breaking Down
User Entity:
entity user {}
This is a simple entity representing a user with no specific relations or actions defined.
Organization Entity:
entity organization {
relation admin @user
relation member @user
action view = admin or member
action edit = admin
}
Has two relations: admin and member, both referring to users
Defines two actions:
- view: can be performed by admins or members
- edit: can only be performed by admins
Department Entity:
entity department {
relation parent @organization
relation manager @user
action view = parent.view or manager
action edit = parent.edit or manager
}
Has two relations: parent (referring to an organization) and manager (referring to a user)
Defines two actions:
- view: can be performed by those who can view the parent organization or the department manager
- edit: can be performed by those who can edit the parent organization or the department manager
Project Entity:
entity project {
relation parent @department
relation lead @user
action view = parent.view or lead
action edit = parent.edit or lead
}
Has two relations: parent (referring to a department) and lead (referring to a user)
Defines two actions:
- view: can be performed by those who can view the parent department or the project lead
- edit: can be performed by those who can edit the parent department or the project lead
More Advance Example
See our Facebook Groups example to learn how to apply nested hierarchies in a real-world scenario.