Hello everyone, I am trying to think how to migrate keto to opl. However, I am struggling to understand how a super admin should be implemented. A super admin is a user with permission to read, write, create and delete all organisations. What we have in our data base is a organisation called

"*"

. If you are an admin from the org

*

, it means you are a super admin. These are the relation that makes a super admin user and allows it to edit this org:

{
  "namespace": "orgs",
  "object": "*",
  "relation": "admin",
  "subject_set": {
    "namespace": "users",
    "object": "Patrik",
    "relation": ""
  }
},
{
  "namespace": "orgs",
  "object": "org1",
  "relation": "write",
  "subject_set": { "namespace": "orgs", "object": "*", "relation": "admin" }
}

On one hand, now we want to maintain this first relation. On the other hand, we want to be able to figure out the second relation from the configuration file. The namespace I started is the following. It's a simple implementation of the permit write, where an admin of an org can write, but it is missing the permit of the superadmin:

import { Context, Namespace, SubjectSet } from "@ory/keto-namespace-types";

class users implements Namespace {
}

//anyone with org:*#admin can write on any org
class orgs implements Namespace {
  related: {
    admin: users[]
  }
  permits = {
    write: (ctx: Context): boolean => this.related.admin.includes(ctx.subject),
  }
}

I am struggling to know how to do it. Can anyone give me a hand? Is there a way to do it?