Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Is keto permission model able to express the following.

A file can be viewed by either user or a group.
If user is in the group that can view the file he also can view a file.

<https://github.com/ory/keto/issues/1319|This issue> seems to suggest otherwise.



The issue also has a workaround that currently has to be used

Isn’t the solution to just do something like this?
```class File implements Namespace {
  related: {
    viewers: (User | SubjectSet&lt;Group, "members"&gt;)[]
  }
}```


<@U05CS7XRAKC> <@U010UKXCPP0> Would one supposed to add `file:hello.txt#owners@group:some_group#members`

To make group `some_group` owners of a file `hello.txt`?

in that case you don't make the group, but the members of the group owners

does not sound like much of a difference, but in case you e.g. add a user to the group with an `admin` relationship, they would not be in the members list, and therefore would not be an owner

that's why in most cases you actually want to not use that, but rather use the global rules