To answer your question about registering a new identity that follows the relation

Organization:xyz#customers@Group:customers#members

in Ory Keto, we need to break this down into steps. This relation is using the Ory Permission Language (OPL) syntax, which defines relationships between objects and subjects. Here's how you can register a new identity that follows this relation: 1. First, you need to create the identity in Ory Kratos (if it doesn't exist already). 2. Then, you need to add this identity to the

customers

group. 3. Finally, the

customers

group is already related to the

Organization:xyz

through the

customers

relation, so no additional step is needed for this part. Let's go through these steps: 1. Create the identity (if it doesn't exist) using Ory Kratos. This step is not directly related to Keto, so I won't elaborate on it. 2. Add the new identity to the

customers

group. You can do this by creating a new relationship in Keto. Here's how you can do it using the Ory CLI:

bash echo "Group:customers#members@<new-identity-id>" | \   ory parse relation-tuples --project <project-id> --format=json | \   ory create relation-tuples --project <project-id>

Replace

<new-identity-id>

with the actual ID of the new identity, and

<project-id>

with your Ory project ID. This command creates a new relationship that adds the new identity as a member of the

customers

group. By doing this, the new identity automatically becomes part of the

Organization:xyz#customers

relation through the group membership, because of the existing relation

Organization:xyz#customers@Group:customers#members

. You can verify the relationships using the Ory CLI:

bash ory list relation-tuples --project <project-id>

This will show you all the relationships, including the one you just created. Remember that managing these relationships requires proper authentication and authorization in your Ory Network project. [Ory CLI Reference](https://www.ory.sh/docs/guides/cli/configure-permission-service#manage-relation-tuples) provides more details on managing relation tuples using the Ory CLI. [Ory Permissions Concepts](https://www.ory.sh/docs/keto/concepts/relation-tuples) offers more information about how relationships work in Ory Keto.

Certainly! I'll provide example curl requests for each step to register a new identity and add it to the relation

Organization:xyz#customers@Group:customers#members

. These examples will use the Ory Network API endpoints. 1. Create a new identity using Ory Kratos:

bash curl -X POST 'https://{project-slug}.<http://projects.oryapis.com/admin/identities|projects.oryapis.com/admin/identities>' \ -H 'Authorization: Bearer {ORY_API_KEY}' \ -H 'Content-Type: application/json' \ -d '{   "schema_id": "<preset://email>",   "traits": {     "email": "<mailto:newuser@example.com|newuser@example.com>"   } }'

This request will return a JSON response containing the new identity's ID. Let's assume the ID is

new-identity-id

. [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/identity/operation/createIdentity) 2. Add the new identity to the

customers

group in Ory Keto:

bash curl -X PUT 'https://{project-slug}.<http://projects.oryapis.com/admin/relation-tuples|projects.oryapis.com/admin/relation-tuples>' \ -H 'Authorization: Bearer {ORY_API_KEY}' \ -H 'Content-Type: application/json' \ -d '{   "namespace": "Group",   "object": "customers",   "relation": "members",   "subject": "new-identity-id" }'

Replace

{project-slug}

with your Ory project slug,

{ORY_API_KEY}

with your actual API key, and

new-identity-id

with the ID returned from the first request. [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/relationship/operation/createRelationship) 3. Verify the relationships:

bash curl -X GET 'https://{project-slug}.<http://projects.oryapis.com/admin/relation-tuples?namespace=Group&object=customers&relation=members|projects.oryapis.com/admin/relation-tuples?namespace=Group&object=customers&relation=members>' \ -H 'Authorization: Bearer {ORY_API_KEY}'

This will list all members of the

customers

group, including the newly added identity. [Ory API Reference](https://www.ory.sh/docs/reference/api#tag/relationship/operation/getRelationships) These curl requests correspond to the steps I described earlier. The first request creates a new identity in Kratos, the second adds this identity to the

customers

group in Keto, and the third verifies the relationship. Remember to replace

{project-slug}

and

{ORY_API_KEY}

with your actual Ory project slug and API key in all these requests.