Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone, I wasn't sure if this use case would work for Keto but I'm building an e-commerce platform and would like to limit user access to orders.

The following would apply
• User who owns order should always be able to read it 
• Employee who is a sales rep should be able read order
• User who is in charge of fulfillment should not be able to access order
Could i create a relationship default for a namespace where i either pass
```OWNER
SALES
WAREHOUSE```
to a namespace dedicated to orders. I don't want to create a relationship for every new order.

I've actually done this in our platform, we use an object called "general" for this exact purpose. Obviously, you can name it whatever you want, but it's entirely possible (and maybe even recommendable).

In our case, we use as simple a form of relations as possible, so we have for example the namespace 'users', which has an object called 'general', which has either relation 'write' or relation 'read'. We still use separate subjects for each permission tuple though, however, this is not neccessary, you can use a generic name for the subject as well - though I'm note sure that's as recommendable :blush: