Can anyone help me with the below schema | Permify | Page 1

rapid yoke May 6, 2024, 8:28 AM

#

Hi @orchid skiff,

Your current schema attempt is close but misses the syntax for properly checking an attribute within a permission.

You would typically define an attribute at the entity level and then reference that attribute within your permissions. However, directly checking an attribute of a related entity in the permission definition (like org.admin.manage_team) is not directly supported. Instead, you would use rules to evaluate attributes and make those conditions part of your permission checks.

Here's an adapted approach based on Permify's attribute and rule capabilities:

entity user {
  attribute manage_team boolean
}

entity organization {
  relation owner @user
  relation admin @user
  relation member @user
}

entity team {
  relation org @organization
  relation owner @organization#owner
  relation member @organization#member
  // The permission might need to be adjusted to use a rule that checks the manage_team attribute.
  permission create = owner or (org.admin and check_manage_team(org.admin))
}

rule check_manage_team(admin @user) {
  admin.manage_team
}```
This adaptation introduces a rule `check_manage_team` to check the `manage_team` attribute for an admin. This is a conceptual example to guide you based on Permify's schema modeling capabilities, such as defining attributes and rules .  Does this make sense ?

orchid skiff May 6, 2024, 8:30 AM

#

rapid yoke Hi <@843151152442376192>, Your current schema attempt is close but misses the s...

Yeah. Thanks a lot for your answer

orchid skiff May 6, 2024, 8:30 AM

#

orchid skiff Yeah. Thanks a lot for your answer

Should I a make a derived entity like org_user and add the attribute there or the current approach is fine ?

rapid yoke May 6, 2024, 8:33 AM

#

I think its doable

#

Creating a derived entity like org_user to handle the manage_team attribute could provide a more structured way to manage user attributes specific to an organization context. This approach might make the schema more expressive and potentially simplify permission checks by centralizing organization-specific user attributes and permissions.

#

But I can't be 100% sure its the best approach because I don't have the other details of your use case. The key is to ensure that your authorization model remains understandable and manageable as your application's complexity grows.

orchid skiff May 8, 2024, 6:27 PM

#

getting error with this

#

#

rapid yoke May 10, 2024, 2:29 PM

#

Hi @orchid skiff, you cannot put entity inside rule parameter thats why this error occurs.

#

Other than this we've examined your schema and conduct a better approach (correct us if we're missing something). Basically seems like you don't need to create attibutes. You can achieve same result with creating a specific role such as "manager"

#

Here is the schema that we come up

#

entity user {}

entity organization {
    relation owner @user
    relation admin @user
    relation member @user
}

entity team {
    relation or @organization
    relation owner @organization#owner
    relation member @organization#member
    relation manager @user

    permission create = owner or (org.admin and manager)
}

#Can anyone help me with the below schema