https://www.ory.sh/ logo
Join Slack
Powered by
Hello, hope this is a right place to ask. I am try...
# _newcomer
b
Hello, hope this is a right place to ask. I am trying to implement a simple (in my opinion) permission relation model. Would like to get some advice if this is logical in Ory Keto context. Brief intro to my model: • User is a user, simple as that • Group contains multiple members (users or other groups for hierarchy purposes) • Gallery is isolated box that allows 3 operations (enroll, delete and identify) My idea is to have a flexible model, where I can assign user or group to gallery and allow it specific operations.
Here is what I came up with:
Copy code
class User implements Namespace {
}

class Group implements Namespace {
    related: {
        managers: (Group | User)[],
        members: (Group | User)[]
    }

    permits = {
        isMember: (ctx: Context) => this.related.managers.includes(ctx.subject)
            || this.related.members.includes(ctx.subject)
    }
}

class Gallery implements Namespace {

    related: {
        enroll: (User | SubjectSet<Group, "members">)[],
        identify: (User | SubjectSet<Group, "members">)[],
        delete: (User | SubjectSet<Group, "members">)[]
    }

    permits = {
        enroll: (ctx: Context) => this.related.enroll.includes(ctx.subject),
        identify: (ctx: Context) => this.related.identify.includes(ctx.subject),
        delete: (ctx: Context) => this.related.delete.includes(ctx.subject)
    }
}
It seems to work for permission checks, but I lack the functionality to list User available galleries
Here is my test data:
Copy code
NAMESPACE       OBJECT          RELATION NAME   SUBJECT
Gallery         civil           identify        Group:test-group#members
Group           test-group      members         User:domantas
and while expand command returns an expected result: 
keto expand identify Gallery civil --insecure-disable-transport-security
Copy code
or :#@Gallery:civil#identify
└──or :#@Group:test-group#members
   └──∋ :#@User:domantas️
I am unable to use 
ListRelationTuples
grpc call to list 
User:domantas
available galleries
Is there something I am missing or my permission schema is of the intended use of Keto?
For context:
Copy code
Version:                        v0.11.1-alpha.0
Build Commit:   db5c007ca2c71f898d4ccc70dcbfc9875866ec00
Build Timestamp:        2023-03-09T13:59:41Z
10 Views
Open in Slack
PreviousNext
Powered by