#schema

Morning folks!

I'm working on this schema:

    attribute owner_type string
    relation owner @user @team @organization
    
    relation collaborator @user @team#member @organization#member
    relation viewers @user @team#member @organization#member

    action view = viewers
    
    action edit = owner or collaborator
    action edit_as_owner = owner
    action edit_as_collaborator = collaborator
    
    action transfer = (is_user_type(owner_type) and owner) or (is_group_type(owner_type) and owner.transfer_maps)
}

rule is_user_type(owner_type string) {
    owner_type == 'user'
}

rule is_group_type(owner_type string) {
    owner_type == 'team' || owner_type == 'organization'
}

entity user {
    attribute transfer_own_maps boolean
    action transfer_maps = transfer_own_maps
}

entity team {
    relation parent @organization

    relation admin @user
    relation owner @user
    relation member @user

    action transfer_maps = admin or owner
}

entity organization {
    relation admin @user
    relation owner @user
    relation member @user @team#member

    action transfer_maps = admin or owner
}```

I have some doubts around the multiple-type relation `owner` of the `maps` entity. 

Basically what I want to accomplish is being able to determine if an user can transfer the map ownership to another user or team/org.

For that I added an action in the `organization` and `team` entities that checks if the user is the admin or the owner of the team/organization that owns the map, in those cases they can transfer.

I had to add a dummy action `transfer_maps` on the user model named the same way as the one used on the team/organization entities because otherwise it won't work.

I also had to add a `owner_type` in the `maps` entity so I was able to do this in the `transfer` action:

`action transfer = (is_user_type(owner_type) and owner) or (is_group_type(owner_type) and owner.transfer_maps)`

I'm wondering if that seems correct. Thanks!

   attribute department string
}

entity host {
  relation owner  @user
  relation member  @user

  attribute department string 

  permission view_host = check_department(department)
  permission edit_host = owner
}

rule check_department(department string) {
    How should the rule be written?
}

I want to implement that when the user's department attribute matches the host's department attribute, the user can access the host.
how to do write this rule.

I reviewed the documentation at https://permify.co/post/unveiling-permify-abac/ and found that the schema is incorrect.

entity user {}

entity account {
    //users own an account.
    relation owner @user

    attribute region string[]
    attribute region_ip string[]

    action create_profile = owner
}

entity profile {
    //Accounts can own a multiple profiles.
    relation owner @account

    attribute age integer
    attribute region string[]
    attribute region_ip string[]

    action edit = owner 
    action delete = owner
    action create_watchlist = owner 

}

entity watchlist {
    //each profile can own a multiple watch-list.
    relation owner @profile
    
    action edit = owner
    action delete = owner
    action remove_content = owner
    
}

entity content {
    //contents can be a part of watch_lists
    relation watchlist @watchlist
    relation user @profile
    
    attribute age_rating integer
    attribute allowed_region string[]

    action view = check_age(user.age, ager_rating) and check_region(user.region, allowed_region) and check_ip (request.ip, user.region_ip)
    action add_watchlist = user 

}

rule check_age (age integer, age_rating integer) {
    age >= age_rating
}

rule check_region (region string, allowed_region string) {
    region in allowed_region
}

rule check_ip (ip string, region_ip string) {
    ip in region_ip
}

action view = check_age(user.age, ager_rating) error message：not supported walk

Unveiling Permify ABAC: A New Dimension ...

In the schema, What is the difference between keyword "action" or "permission", I in the document (https://docs.permify.co/getting-started/modeling#defining-permissions) don't see what is the difference between the two key words.

there is no difference, its the same.

we have 1000s of company which will create 1000s of project in each company - one company can have multiple project, each project can have their own role(could be 20 roles) and share with any user with email and based on access they will be able to see field based data for example cost center they will see column/attribute/field based on access. we can have 10000s of users how to achive using permify ?

we have 1000s of company which will

Hello,

I am working on a schema like this:

`entity product_env {
attribute owner string

permission apply = check_is_viewer(owner)

}

rule check_is_viewer(owner string) {
owner == 'viewer'
}`

I noticed that when I change the name of the formal argument, e.g:

rule check_is_viewer(o string) { o == 'viewer' }

schema is not longer valid (invalid argument). I looked into the code and saw that at compile time when the type of the actual argument owner is validated, it looks for a formal argument with the same name. Seems to be a nice bug.

What would the difference be between @role and @role#assignee in this schema?

Hi, could you help me with schema modeling?

entity user {
}

entity organization {
    relation creator @user
    relation admin @user
    relation member @user

    permission create = creator
    permission read = admin or member
    permission update = admin or member
    permission delete = creator

I want to add an attribute "super_user" for users, and allow organizations to be created only by users with this attribute.
Can I do that? How?

Hi, I have a schema to do the following. I have users, channels, roles and permissions. User A can perform Action “Edit Video” in channel A, but not in Channel B.
I want to be able to created roles and permissions in runtime, and the definition of a role will be same across all channels. Is there a way I can model this in permify? I have looked through everything, not able to find anything helpful

Hello here,

Is it possible to create a scheme where an Organizations can have predefined roles like "admin" that cannot be changed and, in addition dynamic roles or custom roles.

On the playground it has an example for custom roles, but not a combination. I did try to play around to achieve that, but I did not get a solution.

Hello,

I stumpled on permify yesterday and i am exploring it for our startup and i have a schema that i trying to figure out if it can be implemented in permify or not.

1. Entities
2. Spaces can be created under entities
3. Drive (files and folders) that can be created under each space. each file and folder can be shared with space users
4. Tasks. based on space users roles, users can either access all tasks or assigned tasks only.
5. Entity Roles for each entity. in which there will be standard roles created by the system for all entities as well as custom roles created by the entity owner that will hold permissions for various document types under the entity.
6. Space Roles for each space. in which there will be standard roles created by the system for all spaces as well as custom roles created by the space owner that will hold permissions for various document types under the space

Notes:

1. some roles can have access to all child documents without having to explicitly share the document with. for example entity owners can access all spaces without having to be a space user. and space owners can for example access all tasks without having to be assiened to it. and it is not limited to the owner role, custom roles can also have this permissions if the owner allowed it.
2. a single system user can be user for multiple entities with different roles. for example a user can be an owner in entity1 and member in entity2 and customadmin in entity3
3. drive folder will also have such permissions in which if have editor on a folder can access all of its files

thanks in advance, i just wanted to make sure if that is possible or applicable in permify before diving more into it

How can I specify a schema such that I can have custom roles (through role entity) as well as ABAC? My goal is to let the tenant create role specific rules that check attributes for an action on the entity; however, the role should be dynamically mapped and not directly set in Permify Schema...

Hi,
is there a way to model a schema that will allow an admin (for example) to create roles and assign users to them. for example, we might provide the roles admin/guest/memeber/owner ... but now the admin decide that a new role should be created that will allow only edit/view. the admin cannot change the schema, so we have to have a way to enable it. did someone do something like that ?

Hello,
i am new to permify .
my schema is
entity user {
relation roles @role
}
entity role {
attribute name string
attribute grant string[]
permission can = check_grant(grant)

}
entity country {
relation member @user
permission access = member
}
entity zone {
relation parent @country
relation member @user
permission access = member or parent.access
}
entity regional_office {
relation parent @zone
relation member @user
permission access = member or parent.access
}
entity site {
relation parent @regional_office
relation member @user
relation owner @user

permission access = owner or member or parent.access

}
entity pump {
relation site @site
}
rule check_grant(grant string[]) {
context.data.cugrant in grant
}
Our core objective is to build a role-based permission system with the following characteristics:
The Setup: We have users and we have roles. A single user can be assigned one or more roles.
The Permission Source: The permissions themselves (e.g., action strings like "user:list" or "site:edit") are stored in a string array attribute called grant on each role.
The Goal: We need to create a single, simple, and efficient permission check. This check, let's call it can, should answer the question: "Can this user perform this action?"
The Logic: The check must return true if any of the roles assigned to the user contain the requested action string in their grant attribute.
The Requirement: This entire logical evaluation—checking a user, finding all their roles, and inspecting each role's grant attribute—must happen inside the Permify engine in a single API call. We must not have to write application code that fetches all roles and then loops through them to make multiple checks.
The challenge has been to write a valid Permify schema that correctly expresses this logic.
can someone help me to write schema perfectly so i can make arule in user entity that can handle thecan permission

is this place active?

I recently added two posts in the help forum but no one responded similiar to your situation. I feel like this discord is pretty dead