In Ory, user identities are defined and managed through identity schemas. These schemas define what fields (data) the system stores for the identity. This allows you to easily differentiate between user types, for example customers and employees. To map user identities to a namespace, you would need to define this in your identity schema. For example, you might have a field in your schema that specifies the namespace for that identity. However, the extracts provided do not contain specific instructions or code examples on how to map user identities to a namespace. For more detailed information, you may want to refer to the [Ory documentation](https://www.ory.sh/docs/kratos/manage-identities/overview) on managing identities and customizing identity schemas.

Yes, there is documentation about the human-readable format for relationships in Ory. The format

Subject is in members of Object

is an example of how relationships are named in a namespace. This format is designed to translate to an English sentence, making it easier to understand the relationship between the subject and the object. Here's an example from the [Ory documentation](https://www.ory.sh/docs/keto/concepts/namespaces#relationships):

plaintext Subject is in members of Object

In this example, "Subject" and "Object" are placeholders for the actual entities in your application. The "members" part of the sentence describes the relationship between the subject and the object. This format is used to define relationships in the Ory Permission Language (OPL). For example, in a permission config, you might declare relationships inside the corresponding class like this:

typescript class Document implements Namespace {    related: {    owners: User[]    editors: User[]    viewers: User[]    parents: Folder[]    }   }

In this example,

owners

,

editors

,

viewers

, and

parents

are the relationships, and they are all in plural form to reflect the many-to-many relationships between objects and subjects in Ory Permissions.

Yes, the complex relation you provided can be expressed in the human-readable format. The JSON structure you provided:

json {     "namespace": "Group",     "object": "developer",     "relation": "members",     "subject_set": {       "namespace": "User",       "object": "Henning"     } }

Can be translated into the human-readable format as:

plaintext User:Henning is in members of Group:developer

This statement expresses the same relationship: the user "Henning" is a member of the group "developer". This format is easier to read and understand, and is commonly used in Ory documentation and examples. You can find more about this in the [Ory documentation](https://www.ory.sh/docs/keto/concepts/relation-tuples).

In the context of Ory, a relationship and a relationship tuple essentially refer to the same concept. They both describe the connection between a subject and an object within a specific namespace. A relationship tuple is a more formal term used to describe the structure of a relationship. It is a data structure that consists of four elements: a namespace, an object, a relation, and a subject. This structure is used to define and manage relationships in Ory. Here's an example of a relationship tuple from the [Ory documentation](https://www.ory.sh/docs/reference/api):

json {     "namespace": "Group",     "object": "developer",     "relation": "members",     "subject_set": {       "namespace": "User",       "object": "Henning"     } }

In this example, "Group" is the namespace, "developer" is the object, "members" is the relation, and the subject is a set that includes the namespace "User" and the object "Henning". This relationship tuple represents the relationship: "User Henning is a member of the Group developer". So, while the terms "relationship" and "relationship tuple" can be used interchangeably, "relationship tuple" is a more specific term that refers to the structured representation of a relationship in Ory.

The

ory parse relation-tuples

and

ory parse relationships

are commands used in Ory to parse human-readable relation tuples and relationships respectively. From the provided extracts, both commands seem to perform similar functions. They both parse human-readable formats as used in the documentation, support various output formats, and ignore comments and blank lines. However, without more specific information about the differences between these two commands, it's hard to provide a definitive answer. The exact differences might be related to the specific use cases, input formats, or output formats that each command is designed for. Here are the extracts for reference: For `ory parse relation-tuples`:

plaintext ory parse relation-tuples [flags]

Options:

plaintext  -h, --help help for relation-tuples    --project string The project to use

Options inherited from parent commands:

plaintext  -c, --config string Path to the Ory Network configuration file.    --format string Set the output format. One of default, json, yaml, and json-pretty. (default "default")    -q, --quiet Be quiet with output printing.    -y, --yes Confirm all dialogs with yes.

[Source](https://www.ory.sh/docs/cli/ory-parse-relation-tuples#ory-parse-relation-tuples) For `ory parse relationships`:

plaintext ory parse relationships [flags]

Options:

plaintext  --format string Set the output format. One of table, json, yaml, json-pretty, jsonpath and jsonpointer. (default "default")    -h, --help help for relationships    --project string The project to use, either project ID or a (partial) slug.    -q, --quiet Be quiet with output printing.

Options inherited from parent commands:

plaintext  -c, --config string Path to the Ory Network configuration file.    -y, --yes Confirm all dialogs with yes.

[Source](https://www.ory.sh/docs/cli/ory-parse-relationships#ory-parse-relationships) For a more detailed understanding of the differences between these two commands, you may want to refer to the [Ory documentation](https://www.ory.sh/docs/cli).

The permission check might be returning "denied" because the

use

permission in the

Application

class is checking if the subject is directly included in the

users

array. However, in your relationships, the user is not directly included in the

users

array. Instead, the user is a member of the

Group

"internal", which is included in the

users

array. Here's the relevant part of your permission model:

typescript class Application implements Namespace {   related: {     users: (User | SubjectSet<Group, "members">)[];   };    permits = {     use: (ctx: Context): boolean => this.related.users.includes(ctx.subject),   }; }

And here's the relevant part of your relationships:

json [   {     "namespace": "Group",     "object": "internal",     "relation": "members",     "subject_id": "cf9a90a2-ba99-4134-8ae3-5543864f6bd9"   },   {     "namespace": "Application",     "object": "helloworld",     "relation": "users",     "subject_set": {       "namespace": "Group",       "object": "internal"     }   } ]

In this case, the

use

permission is checking if the subject (the user with the ID "cf9a90a2-ba99-4134-8ae3-5543864f6bd9") is directly included in the

users

array. However, the user is not directly included in the

users

array. Instead, the user is a member of the

Group

"internal", which is included in the

users

array. To fix this, you might need to modify your permission model to check if the subject is a member of any group that is included in the

users

array. However, the provided extracts do not contain specific instructions or code examples on how to do this. For more detailed information, you may want to refer to the [Ory documentation](https://www.ory.sh/docs/keto/modeling/create-permission-model).