about to post this on keto channel I was spending a few hour Ory Community #talk-keto

about to post this on keto channel. I was spending...

narrow-greece-70477

08/27/2023, 2:24 PM

about to post this on keto channel. I was spending a few hours on this yesterday and I am feeling that maybe what I am doing is not possible. I would like to grant access to the mysite.com object for users in the mysite-admins group. What am I doing wrong? I can get it to work for direct user access, but I would rather give access to a group. Ory Permisson Language

Copy code

import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types"


class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: User[]
  }
}

class Site implements Namespace {
  related: {
    allows: SubjectSet<Group, "members">[]
  }

  permits = {
    view: (ctx: Context): boolean =>
      this.related.allows.includes(ctx.subject)
  }
}

permission check

Copy code

{
  "namespace": "Site",
  "object": "<http://mysite.com|mysite.com>",
  "relation": "allows",
  "subject_id": "164cc415-499e-4ad7-bcc5-b9823af9dfea",
  "subject": "User",
  "subject_set": {
    "namespace": "Group",
    "object": "mysite-admins",
    "relation": "members"
  }
}

tuples

Copy code

./ory list relation-tuples
NAMESPACE       OBJECT                          RELATION NAME   SUBJECT
Group           mysite-admins                     memebrs         User:164cc415-499e-4ad7-bcc5-b9823af9dfea
Group           mysite-admins                     members         164cc415-499e-4ad7-bcc5-b9823af9dfea
Site            <http://mysite.com|mysite.com>                        allows          Group:mysite-admins
Site            <http://mysite.com|mysite.com>                        allows          164cc415-499e-4ad7-bcc5-b9823af9dfea

brave-pillow-3744

08/27/2023, 3:18 PM

You can try something like this:

Copy code

// Create users in user namespace
User : admin # member @  user_1
User : writer # member @  user_2
User : reader # member @  user_3
User : anonymous # member @  user_4 // Not a part of any group

// Create groups in the group namespace and assign users to the group 
Group: mysite-admins # member @ ( User : admin # member )
Group: mysite-writers # member @ ( User : writer # member )
Group: mysite-readers # member @ ( User : reader # member )

// Create site permission in the site namespace and assign groups to the site. Also, try adding a user to the site to have direct access
Site : <http://mysite.com|mysite.com> # allow @ ( Group: mysite-admins # member )
Site : <http://mysite.com|mysite.com> # allow @ ( Group: mysite-writers # member )
Site : <http://mysite.com|mysite.com> # deny @ ( Group: mysite-readers # member ) // Deny access to site
Site : <http://mysite.com|mysite.com> # allow @ user_4 // Have direct access to site for the user

PS: I have not tested this but you can create a similar rule in Ory keto and test it out. 👍

narrow-greece-70477

08/27/2023, 5:10 PM

Awesome thank you I will give it a try.

3 Views

Open in Slack

Previous Next