I am trying out Ory Keto, noticed SubjectSets in the documentation, and was trying to figure out what they are for and how to use them. They are used in example involving group-based permissions on https://www.ory.sh/docs/keto/reference/ory-permission-language and my use case also uses group-based permissions, so I got worried I am “doing it wrong”. I have looked through the documentation for an explanation, and found https://www.ory.sh/docs/keto/concepts/subjects#subject-sets, but it’s really brief. I also saw https://ory-community.slack.com/archives/C012RBZFMDG/p1688998603818589?thread_ts=1688998412.544369&cid=C012RBZFMDG - which seems to imply that by just using basic “subject IDs” I would be in fact doing it wrong. Also, my very-simple example OPL is not working the way I would expect, so I want to see if using subject sets is the fix. Looking for a ELI5 on subject sets.

As far as I understand by now you would be adding a relation to the subject set if you want to have an indirection. So for example you could add this relation to express that all members of red-group are also members of blue-group:

{
        "namespace": "Group",
        "object": "blue-group",
        "relation": "members",
        "subject_set": {
            "namespace": "Group",
            "object": "red-group",
            "relation": "members
        }
},

This is kind of similar to the rules you provide with

permits

in OPL (which are SubjectSetRewrites as I understand, creating such tuples implicitly for all Groups) but instead of being applied for all Groups it will only be applied to the specific one. I don't really know if the empty relation is a special case for namespacing or if that makes sense if you look at it from set theory perspective (probably have to read the zanzibar paper to figure that out) but it seems if you are using OPL it is required to use subject_sets with empty relations instead of subject_id.