<@U04UQ68083H>,
What is the best way to configure ...
# ory-copilotm
many-dawn-19625
06/09/2025, 6:01 PM@chilly-king-10285,
What is the best way to configure Ory Permissions using OPL to grant a 'sysadmin' super-user access to all resources?
Let’s assume I have a Super-user team group made up of multiple users.
Copy code
class User implements Namespace {
}
export class Group implements Namespace {
related: {
members: (User | Group)[]
}
}
export class Project implements Namespace {
related: {
viewer: SubjectSet<Group, "members">[]
}
permits = {
read: (ctx: Context): boolean =>
this.related.viewer.includes(ctx.subject) ||
this.permits.write(ctx),
} Copy code
{
"namespace": "Group",
"object": "super_users",
"relation": "members",
"subject_set": {
"namespace": "User",
"object": "admin-user"
}
}, Copy code
{
"namespace": "Project",
"object": "my-project",
"relation": "viewer",
"subject_set": {
"namespace": "Group",
"object": "super_users",
"relation": "members"
}
}b
brief-egg-61061
06/09/2025, 6:01 PMA message from kapa.ai
brief-egg-61061
06/09/2025, 6:01 PMTo grant a "sysadmin" super-user group access to all resources in Ory Permissions using OPL (Ory Permission Language), you generally have two main options: ### 1. Grant Access via Relationship Tuples The standard and recommended approach is to create relationship tuples that explicitly grant the super-user group access to each resource or namespace. For example, you would add the "super_users" group as a
viewer Copy code
json { "namespace": "Group", "object": "super_users", "relation": "members", "subject_set": { "namespace": "User", "object": "admin-user" } } Copy code
json { "namespace": "Project", "object": "my-project", "relation": "viewer", "subject_set": { "namespace": "Group", "object": "super_users", "relation": "members" } } Copy code
typescript permits = { read: (ctx: Context): boolean => this.related.viewer.includes(ctx.subject) || ctx.subject.isInGroup("super_users") || // Pseudocode, not supported natively this.permits.write(ctx), }isInGroupm
many-dawn-19625
06/09/2025, 7:00 PM@chilly-king-10285 I want to make your OPL rules check for membership in the "super_users" group, but the group membership itself must be represented as tuples, and you must add this logic to each relevant permission rule. - explain how to define global
isInGroupb
brief-egg-61061
06/09/2025, 7:00 PMA message from kapa.ai
brief-egg-61061
06/09/2025, 7:00 PMOry Permission Language (OPL) does not provide a built-in global
isInGroupsuper_usersGroupmembers Copy code
typescript class User implements Namespace {} class Group implements Namespace { related: { members: (User | Group)[] } } Copy code
json { "namespace": "Group", "object": "super_users", "relation": "members", "subject_id": "user-id" }super_usersSubjectSet Copy code
typescript import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types" class Project implements Namespace { related: { viewer: (User | SubjectSet<Group, "members">)[] } permits = { read: (ctx: Context): boolean => this.related.viewer.includes(ctx.subject) || // Grant access if user is in super_users group this.related.viewer.includes(SubjectSet<Group, "members">("super_users")) || this.permits.write(ctx), } }isInGroupSubjectSetviewerisInGroupm
many-dawn-19625
06/10/2025, 5:24 AM@chilly-king-10285 show me an example of "The logic must be repeated in each relevant namespace’s permission rule."
b
brief-egg-61061
06/10/2025, 5:24 AMA message from kapa.ai
brief-egg-61061
06/10/2025, 5:24 AMCertainly! Here’s how you would repeat the logic for checking if a user is a member of the
super_usersProjectDocumentsuper_users Copy code
typescript import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types" class User implements Namespace {} class Group implements Namespace { related: { members: (User | Group)[] } } class Project implements Namespace { related: { viewers: (User | SubjectSet<Group, "members">)[] } permits = { read: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject) || // Grant access if user is in super_users group SubjectSet<Group, "members">("super_users").includes(ctx.subject) } } class Document implements Namespace { related: { viewers: (User | SubjectSet<Group, "members">)[] } permits = { read: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject) || // Grant access if user is in super_users group SubjectSet<Group, "members">("super_users").includes(ctx.subject) } }super_usersreadProjectDocumentSubjectSetFolderFilem
many-dawn-19625
06/10/2025, 7:16 AM@chilly-king-10285 show me the minimum tuple to be configured with the '/admin/relation-tuples' endpoint to handle the above relationship
b
brief-egg-61061
06/10/2025, 7:17 AMA message from kapa.ai
brief-egg-61061
06/10/2025, 7:17 AMTo handle the relationship where a user is a member of the
super_users/admin/relation-tuples Copy code
json { "namespace": "Group", "object": "super_users", "relation": "members", "subject_id": "user-id" }"Group""super_users""members""user-id"user-idsuper_users/admin/relation-tuplesPUTsubject_idm
many-dawn-19625
06/10/2025, 7:18 AM@chilly-king-10285 how to grant viewer permission through OPL now to super_users ?
b
brief-egg-61061
06/10/2025, 7:18 AMA message from kapa.ai
brief-egg-61061
06/10/2025, 7:19 AMTo grant
viewersuper_userssuper_usersSubjectSetProjectviewersuper_users Copy code
typescript import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types" class User implements Namespace {} class Group implements Namespace { related: { members: (User | Group)[] } } class Project implements Namespace { related: { viewers: (User | SubjectSet<Group, "members">)[] } permits = { view: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject) } }super_userssuper_usersviewer Copy code
json { "namespace": "Project", "object": "my-project", "relation": "viewers", "subject_set": { "namespace": "Group", "object": "super_users", "relation": "members" } }super_usersviewerviewerssuper_usersSubjectSetviewersuper_usersSubjectSetviewerssuper_usersm
many-dawn-19625
06/10/2025, 7:20 AM@chilly-king-10285 can I do this for only a parent project and let all the child projects inherit this privilege?
b
brief-egg-61061
06/10/2025, 7:21 AMA message from kapa.ai
brief-egg-61061
06/10/2025, 7:21 AMYes, you can grant the
super_usersviewers Copy code
typescript import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types" class User implements Namespace {} class Group implements Namespace { related: { members: (User | Group)[] } } class Project implements Namespace { related: { viewers: (User | SubjectSet<Group, "members">)[] parents: Project[] } permits = { view: (ctx: Context): boolean => this.related.viewers.includes(ctx.subject) || this.related.parents.traverse((parent) => parent.permits.view(ctx)) } }super_usersviewerparents.traverse(...)super_userssuper_usersm
many-dawn-19625
06/10/2025, 7:23 AM@chilly-king-10285 how to define parent relationshiop for a new project and parent/superuser ? can you show me all the cfg tuple?
b
brief-egg-61061
06/10/2025, 7:24 AMA message from kapa.ai
brief-egg-61061
06/10/2025, 7:24 AMTo define a parent relationship for a new project and grant the
super_userschild-projectparent-project Copy code
json { "namespace": "Project", "object": "child-project", "relation": "parents", "subject_id": "parent-project" }"Project""child-project""parents""parent-project"super_users Copy code
json { "namespace": "Group", "object": "super_users", "relation": "members", "subject_id": "admin-user" }"Group""super_users""members""admin-user"super_users Copy code
json { "namespace": "Project", "object": "parent-project", "relation": "viewers", "subject_set": { "namespace": "Group", "object": "super_users", "relation": "members" } }"Project""parent-project""viewers"super_userssuper_userssuper_users/admin/relation-tuplespatchRelationshipsinsert3 Views