Following schema demonstrates a hierarchical structure (Organization > Department > Project) with inherited permissions.

Each level has its own specific roles (admin/member, manager, lead) that grant certain permissions, while also inheriting permissions from the level above.

Before breaking down, lets provide the completed schema:

entity user {}

 entity organization { 
    relation admin @user 
    relation member @user 
    
    action view = admin or member 
    action edit = admin 
} 

entity department { 
    relation parent @organization 
    relation manager @user 
    
    action view = parent.view or manager 
    action edit = parent.edit or manager
} 

entity project { 
    relation parent @department 
    relation lead @user 
    
    action view = parent.view or lead 
    action edit = parent.edit or lead 
}

Breaking Down

User Entity:

entity user {}

This is a simple entity representing a user with no specific relations or actions defined.

Organization Entity:

entity organization {
    relation admin @user
    relation member @user
    
    action view = admin or member
    action edit = admin
}

Has two relations: admin and member, both referring to users

Defines two actions:

  • view: can be performed by admins or members
  • edit: can only be performed by admins

Department Entity:

entity department {
    relation parent @organization
    relation manager @user
    
    action view = parent.view or manager
    action edit = parent.edit or manager
}

Has two relations: parent (referring to an organization) and manager (referring to a user)

Defines two actions:

  • view: can be performed by those who can view the parent organization or the department manager
  • edit: can be performed by those who can edit the parent organization or the department manager

Project Entity:

entity project {
    relation parent @department
    relation lead @user
    
    action view = parent.view or lead
    action edit = parent.edit or lead
}

Has two relations: parent (referring to a department) and lead (referring to a user)

Defines two actions:

  • view: can be performed by those who can view the parent department or the project lead
  • edit: can be performed by those who can edit the parent department or the project lead

More Advance Example

See our Facebook Groups example to learn how to apply nested hierarchies in a real-world scenario.

User GroupsInherited/Nested Permissions