For large number of users, managing access for entire groups can be more efficient than assigning roles to individual users.

User groups essentially define that, if you’re part of a group, you can access certain resources or perform specific actions.

Let’s demonstrate how this can be modeled using a simple project management system scenario.

entity user {}

entity organization {

    // organizational roles
    relation admin @user
    relation member @user

}

entity team {

    // represents owner or creator of the team
    relation owner @user

    // represents direct member of the team
    relation member @user

    // reference for organization that team belong
    relation org @organization

    // organization admins or owners can edit, delete the team details
    permission edit = org.admin or owner
    permission delete = org.admin or owner

    // to invite someone you need to be admin and either owner or member of this team
    permission invite = org.admin and (owner or member)

    // only owners can remove users
    permission remove_user =  owner
}

entity project {

    // references for team and organization that project belongs
    relation team @team
    relation org @organization

    permission view = org.admin or team.member
    permission edit = org.admin or team.member
    permission delete = team.member
}

Breaking Down

User Entity:

entity user {}

This is a basic entity representing a user in the system. It doesn’t have any specific relations or permissions defined.

Organization Entity:

entity organization {
    relation admin @user
    relation member @user
}

The organization entity has two relations: admin and member, both referencing users.

This allows users to be assigned roles within an organization.

Team Entity:

entity team {
    relation owner @user
    relation member @user
    relation org @organization

    permission edit = org.admin or owner
    permission delete = org.admin or owner
    permission invite = org.admin and (owner or member)
    permission remove_user = owner
}

The team entity has three relations: owner (a user), member (users), and org (the organization it belongs to).

It defines four permissions:

  • edit: Organization admins or team owners can edit the team.
  • delete: Organization admins or team owners can delete the team.
  • invite: Organization admins who are also either team owners or members can invite others.
  • remove_user: Only team owners can remove users from the team.

Project Entity:

entity project {
    relation team @team
    relation org @organization

    permission view = org.admin or team.member
    permission edit = org.admin or team.member
    permission delete = team.member
}

The project entity has two relations: team and org, representing the team and organization it belongs to.

It defines three permissions:

  • view: Organization admins or team members can view the project.
  • edit: Organization admins or team members can edit the project.
  • delete: Only team members can delete the project.

This model establishes a hierarchy where organizations contain teams, which in turn contain projects. It also defines various permissions based on user roles within organizations and teams.

More Advance Example

See our Facebook Groups example to learn how to apply user groups in a real-world scenario.

Numerical ConditionsOrganization Hierarchies