I have a question about specific implementations f...
# talk-keto
b
I have a question about specific implementations for a POC and I really can’t find more complex examples. I’m trying to wrap my head around the following problem. Imagine you have an organization, which has users, units and bank accounts. The hierarchy is: org > unit > bank account Users can have access to bank accounts of an organization. Neither units nor bank accounts are not global but local (so id 1 might exist in multiple units/organizations). The user should have access to the org and the unit as well. I’m at a loss on how to model that a relation is only for exactly org abc > unit xyz > bank account 1 and not org cba > unit xyz > bank account 1. Are there any examples for that?
m
Hello @bored-agency-21522 While there is no exact example for your use case, here are some steps to arrive at your OPL. 1. Create a list of objects: In your case, the objects would be
Organization
,
Unit
, and
Bank Account
. 2. Make a list of relationships each object has to other objects: For example, an
Organization
has
Units
, a
Unit
has
Bank Accounts
, and a
User
can have access to
Bank Accounts
within a
Unit
of an
Organization
. 3. Define each relation in the OPL (Ory Permission Language): This would involve writing rules that define the relationships between the objects. 4. Make a list of permissions that you want to check: For example, whether a
User
has access to a
Bank Account
in a specific
Unit
of an
Organization
. 5. Define each permission in the OPL: This would involve writing rules that define the permissions. 6. Test your permission model: This can be done manually through the API or SDK, or by automating the testing process. Any contributions in terms of examples are very welcome at github.com/ory/examples. Ory also offers onboarding support which can include helping with building the permission model & testing etc.
b
thank you @magnificent-energy-493 but how do I make sure that unit xyz doesn’t have org abc and org cba in their related.orgs? sounds like a footgun to me given how they work at the moment. I’m still evaluating, but would love to chat once I’m sure we’ll go with ory. I’d love to have our permission model validated tho. Could you get in touch via cs@do24.eu (German if you want) for an offer on that? Cheers
@magnificent-energy-493 just a quick reminder, would love to hear from you about onboarding/setting up permissions