Hello everyone ! We have decided to use | Permify | Page 1

violet raptor Jun 12, 2024, 11:12 AM

#

Hi @limber charm , thanks for sharing your case and welcome to our community 👋

With being not sure, the scenario you described seems like solvable with using lookup-entity API (https://docs.permify.co/api-reference/permission/lookup-entity)

Specifically, to achieve resource-level permissions that apply to all entities of a given type (such as all recipes), you can use the lookup-entity API which allows you to query which entities a user can access based on their roles and permissions.

Here's a step-by-stepapproach to achieve this

Define Entities and Relations
You would still need to define your entities and relations properly to facilitate the lookup-entity API. Here's an example schema that represents the entities user, role, resource, and recipe:

entity user {}

entity role {
  relation assignee @user
}

entity resource {
  action view_all = view_all
  action edit_all = edit_all
  action create_all = create_all
  action delete_all = delete_all
}

entity recipe {
  relation owner @user
  relation group @resource
  
  action view = group.view_all or (group.owner_view and owner)
  action edit = group.edit_all or (group.owner_edit and owner)
  action create = group.create_all or (group.owner_create and owner)
  action delete = group.delete_all or (group.owner_delete and owner)
}

Assign Roles and Relationships
Create the necessary relationships to assign roles and permissions to users:

// Assign roles to users
role:admin#assignee@user:1
role:editor#assignee@user:2

// Define resource permissions
resource:recipe#view_all@role:admin
resource:recipe#edit_all@role:editor
Use the lookup-entity API
To check which recipes a user can view based on their roles and permissions, use the lookup-entity API as follows:

Example Request

{
  "tenant_id": "t1",
  "entity_type": "recipe",
  "permission": "view",
  "subject": {
    "type": "user",
    "id": "2",
    "relation": "assignee"
  },
  "context": {
    "tuples": [
      { "entity": "recipe:1", "relation": "owner", "subject": { "type": "user", "id": "2" } },
      { "entity": "recipe:1", "relation": "group", "subject": { "type": "resource", "id": "recipe" } },
      ...
    ]
  }
}

Response

{
  "entity_ids": ["recipe:1", "recipe:2", "recipe:3"]
}

The response will contain the IDs of all recipe entities that the user can view based on their assigned roles and the defined permissions.

This approach could eliminate the need for a wildcard. But as I mentioned, I'm not sure that this is the best option to handle it. In any case we would love to learn more about your use case and discuss this. We might add wildcard support to our roadmap depending on the need/urgency on your end.

Would you be against a quick call in your availability for next week or so ?

limber charm Jun 12, 2024, 11:26 AM

#

Lookup is fine, don't need that. I just want to alter schema such that I don't have to define a relation for each recipe that recipe belong to group/resource recipe because its always the case

#

If wildcards were supported it would be something like this added permanently to Data (not contextual) { "entity": "recipe:*", "relation": "group", "subject": { "type": "resource", "id": "recipe" } Not sure how permify equivalent will look like

#

Here is playground - https://play.permify.co/?s=gfb80KxF9XRp6BUtcT8Vr

violet raptor Jun 13, 2024, 9:57 PM

#

Hi @limber charm, the entity level wildcard support isnt a thing that we consider to add to our roadmap because of search query issue.

For example, the tuple created from your provided json would be: recipe:*#viewer@user:x
According to this tuple, user:x should view recipe:1. In such access check evaluation Permify would need to search for all viewers of the recipe using a query like: bring all recipe:*#viewers. And its a problematic search query to structure in our end.

But if you put the wildcard to the subject rather than entity (we're considering to add this to our roadmap) tp allow ALL subjects of a certain type permission. such example would be a admin user who will be able to manage all resources.

violet raptor Jun 13, 2024, 10:01 PM

#

limber charm Here is playground - https://play.permify.co/?s=gfb80KxF9XRp6BUtcT8Vr

Thanks for sharing your schema. About the topic: Instead of defining a relation for each recipe manually, you can define a schema where the relation is automatically inferred based on the group/resource.

Here is how you can define a schema where all recipes automatically belong to a specific group/resource:

Define the parent-child relationship.
Use inheritance to automatically infer the relation.

Here’s an example of how to define this in Permify Schema:

entity group {
    relation member @user
    relation admin  @user
}

entity recipe {
    relation parent @group
    action view = parent.member or parent.admin
    action edit = parent.admin
    action delete = parent.admin
}

In this schema:

The recipe entity has a parent relation that refers to the group entity.
The view, edit, and delete actions in the recipe entity are defined based on the parent relation, which makes use of the group's member and admin relations.

This way, you don't need to define a relation for each recipe manually; the relation is automatically inferred based on the group it belongs to.

#

Does this solve what you want to achieve? or am I missing something here ?

limber charm Jun 14, 2024, 1:56 AM

#

no this will lead to fixed roles, I want custom The issue is solved, I defined a wildcard myself. https://play.permify.co/?s=pN4Sxi-gqFv0vZHRRl07r

limber charm Jun 14, 2024, 4:53 AM

#

Thanks for helping.

#Hello everyone ! We have decided to use