You can define user roles and their permissions using the Ory Permission Language (OPL), which is a developer-friendly configuration language defined as a subset of TypeScript. In OPL, you can create classes that represent different roles and define their permissions as methods within these classes. For example, you can create a class for the

admin

role and define its permissions. If you want the

admin

role to inherit permissions from other roles, you can include these roles in the

related

property of the

admin

class and use them in the

permits

methods. Here is an example of how you can define roles and their permissions in OPL:

typescript import { Namespace, Context } from "@ory/keto-namespace-types"    class User implements Namespace {}    class Document implements Namespace {     // All relationships for a single document.     related: {       editors: User[]       viewers: User[]     }      // The permissions derived from the relationships and context.     permits = {       // A permission is a function that takes the context and returns a boolean. It can reference `this.related` and `this.permits`.       write: (ctx: Context): boolean => this.related.editors.includes(ctx.subject),       read: (ctx: Context): boolean => this.permits.write(ctx) || this.related.viewers.includes(ctx.subject),     }   }

In this example, the

Document

class represents a role that has two relationships:

editors

and

viewers

. The

permits

property defines the permissions for this role. The

write

permission checks if the subject is in the

editors

relationship, and the

read

permission checks if the subject has the

write

permission or is in the

viewers

relationship. You can find more information about defining permissions in OPL in the [Ory documentation](https://www.ory.sh/docs/keto/reference/ory-permission-language). Please note that the actual implementation of role inheritance might vary depending on your specific use case and the complexity of your permission model.

In Ory's Permission Language (OPL), you can model role inheritance by using the

permits

property of a class. This property contains functions that define the permissions for a role. If you want a role to inherit permissions from another role, you can call the corresponding function from the

permits

property of the other role. Here's an example where the

editors

role inherits the

view

permission from the

viewers

role:

typescript import { Namespace, Context } from "@ory/keto-namespace-types"    class User implements Namespace {}    class Document implements Namespace {     related: {       viewers: User[]       editors: User[]     }      permits = {       view: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject),     edit: (ctx: Context): boolean => this.related.editors.includes(ctx.subject) || this.permits.view(ctx),   }   }

In this example, the

Document

class represents a document object that has two roles:

viewers

and

editors

. The

permits

property defines the permissions for these roles. The

view

permission checks if the subject is in the

viewers

relationship. The

edit

permission checks if the subject is in the

editors

relationship or if the subject has the

view

permission. This way, the

editors

role inherits the

view

permission from the

viewers

role. You can find more information about defining permissions in OPL in the [Ory documentation](https://www.ory.sh/docs/keto/reference/ory-permission-language).