To allow a user to edit the price of a book in Ory Keto, you need to: 1. Define a namespace for your "books" table in your Keto configuration. 2. Model the relationships that determine who can edit a book's price (e.g., the user who created the book, or users with a specific role). 3. Define the "edit_price" permission in the Ory Permission Language (OPL) for the Book namespace. 4. Create relationship tuples that assign users to the appropriate relation (e.g., "editors" or "owners") for each book. ### Example: OPL Permission Model Suppose you want only the creator of the book (the user in

created_by

) to be able to edit the price. You could model it like this:

typescript import { Namespace, Context } from "@ory/keto-namespace-types"  class User implements Namespace {}  class Book implements Namespace {   related: {     editors: User[]     owners: User[]   }    permits = {     edit_price: (ctx: Context): boolean =>       this.related.editors.includes(ctx.subject) ||       this.related.owners.includes(ctx.subject),   } }

- Here,

edit_price

permission is granted if the user is in the

editors

or

owners

relation for the book. - You can adjust the relations as needed (e.g., only

editors

, or add a group). ### Assigning Relationships To allow a user (e.g., Alice) to edit the price of a specific book (e.g., book with id

book-123

), create a relation tuple:

books:book-123#editors@alice

Or, if you use the

owners

relation:

books:book-123#owners@alice

You can create these relationships using the Ory Keto CLI or API. ### Checking the Permission When your application needs to check if a user can edit the price, use the Keto check API:

keto check alice edit_price books book-123

If Alice is in the

editors

or

owners

relation for

book-123

, the check will return "Allowed" [How to integrate permission checks to your application](https://www.ory.sh/docs/keto/guides/simple-access-check-guide). --- Note: You can further customize the model to fit your requirements, such as allowing only certain roles or groups to edit the price, by adjusting the relations and permission logic in the OPL. For more details on modeling permissions, see the [Create a permission model guide](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl).

To set up and check permissions for editing the price of a book in Ory Keto using APIs, follow these steps: --- ### 1. Define the Relationship Decide which relation (e.g., editors or owners) allows editing the price. For example, you might use the relation editors. To allow a user (e.g., alice) to edit the price of a book (e.g., book with id book-123), create a relationship tuple: API Request (Create Relationship):

json POST /relationships {   "namespace": "books",   "object": "book-123",   "relation": "editors",   "subject_id": "alice" }

You can use the Ory Keto REST API endpoint to create this relationship. In Go, this would look like:

go payload := ory.CreateRelationshipBody{     Namespace: &namespace, // "books"     Object:    &object,    // "book-123"     Relation:  &relation,  // "editors"     SubjectId: &subjectId, // "alice" } _, r, err := writeClient.RelationshipApi.CreateRelationship(context.Background()).CreateRelationshipBody(payload).Execute()

[Ory Permissions Go SDK](https://www.ory.sh/docs/keto/sdk/go) --- ### 2. Define the Permission in OPL In your OPL (Ory Permission Language) model, define the edit_price permission for the Book namespace:

typescript class Book implements Namespace {   related: {     editors: User[]   }    permits = {     edit_price: (ctx: Context): boolean =>       this.related.editors.includes(ctx.subject),   } }

[Define permissions in the OPL](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl) --- ### 3. Check the Permission To check if a user can edit the price of a book, use the permission check API: API Request (Check Permission):

http GET /relation-tuples/check?namespace=books&object=book-123&relation=edit_price&subject_id=alice

Or, using the Go SDK:

go check, r, err := readClient.PermissionApi.CheckPermission(context.Background()).     Namespace(namespace).     Object(object).     Relation("edit_price").     SubjectId(subjectId).     Execute() if check.Allowed {     fmt.Println(subjectId + " can edit the price of " + object) }

[Ory Permissions Go SDK](https://www.ory.sh/docs/keto/sdk/go) --- Summary: - Assign the user to the editors relation for the book using the relationship API. - Define the edit_price permission in your OPL model. - Use the check API to verify if the user has permission to edit the price. If you need more details on the API endpoints, see the [Keto REST API reference](https://www.ory.sh/docs/keto/reference/rest-api).

To define the

edit_price

permission in your OPL (Ory Permission Language) model when self-hosting Ory Keto, you need to: 1. Create or update your OPL configuration file (typically a

.ts

file, e.g.,

namespaces.keto.ts

). 2. Declare your namespaces and permissions in this file using the OPL syntax (a subset of TypeScript). 3. Configure Ory Keto to use this file. ### Example OPL Model Suppose you want users in the

editors

relation to be able to edit the price:

typescript import { Namespace, Context } from "@ory/keto-namespace-types"  class User implements Namespace {}  class Book implements Namespace {   related: {     editors: User[]   }    permits = {     edit_price: (ctx: Context): boolean =>       this.related.editors.includes(ctx.subject),   } }

[See: Define permissions in the OPL](https://www.ory.sh/docs/keto/modeling/create-permission-model#define-permissions-in-the-opl) ### Where to Place the File - Save this file (e.g., as

namespaces.keto.ts

) in your configuration directory. - In your Keto configuration (

keto.yml

), set the path to this OPL file under the

namespaces

configuration key. ### How to Apply the Model - Restart your Ory Keto server after updating the OPL file so it loads the new permission model. Note: The knowledge sources do not provide the exact configuration key for the OPL file in self-hosted Keto, but the general process is to place your OPL file in the configuration directory and reference it in your Keto config. For more details, see the [Ory Permission Language specification](https://www.ory.sh/docs/keto/reference/ory-permission-language) and the [Create a permission model guide](https://www.ory.sh/docs/keto/modeling/create-permission-model). If you need to migrate or test your configuration between Ory Network and self-hosted Keto, you can use the Ory CLI to export and import permission configs as described in the documentation [Configure Ory Permissions](https://www.ory.sh/docs/guides/cli/configure-permission-service).

I'm sorry, but the knowledge sources do not contain an explicit example of a

keto.yml

configuration file that sets the path to an OPL (Ory Permission Language) file under the

namespaces

configuration key for self-hosted Ory Keto. The documentation describes how to define namespaces and permissions in OPL and references the use of configuration files, but it does not provide a concrete example of linking an OPL file in

keto.yml

or the exact configuration key to use for this purpose [Ory Permission Language specification](https://www.ory.sh/docs/keto/reference/ory-permission-language) [Configuration reference](https://www.ory.sh/docs/keto/reference/configuration). If you need to configure namespaces, the documentation shows examples of defining them directly in YAML, but not by referencing an external OPL file. For example:

yaml namespaces:   - id: 0     name: books

However, this does not reference a TypeScript OPL file, but rather defines namespaces in YAML. For more advanced OPL integration, you may need to consult the latest Ory Keto documentation or community resources for up-to-date guidance.

I'm sorry, but the knowledge sources do not contain explicit information or an example on how to configure self-hosted Ory Keto to directly load a TypeScript OPL file such as

namespaces.keto.ts

. The documentation describes how to write OPL files and how to use them in Ory Network (cloud) via the Console or CLI, but it does not provide details on referencing or loading a

.ts

OPL file in the configuration for a self-hosted Keto instance [Ory Permission Language specification](https://www.ory.sh/docs/keto/reference/ory-permission-language) [Configure Ory Permissions](https://www.ory.sh/docs/guides/cli/configure-permission-service). If you are working with Ory Network, you can upload your OPL file using the CLI with commands like

ory update opl --file namespaces.keto.ts

. For self-hosted Keto, the documentation only shows YAML-based namespace configuration and does not mention direct OPL file integration. If you need this functionality, please consult the latest Ory Keto documentation or reach out to the Ory community for further guidance.

The error you are encountering with your Ory Kratos migration is likely due to the incorrect formatting of the base64-encoded template strings. In your configuration, you have included angle brackets (

<

and

>

) around the base64 strings, which is not the correct syntax. Correct syntax: - Do not use angle brackets. - The value should start with

base64://

followed directly by the base64-encoded string. Example from the documentation:

yaml courier:   templates:     verification_code:       valid:         email:           body:             plaintext: "<base64://WW91ciB2ZXJpZmljYXRpb24gY29kZSBpczoge3sgLlZlcmlmaWNhdGlvbkNvZGUgfX0>="     login_code:       valid:         email:           body:             plaintext: "<base64://WW91ciBsb2dpbiBjb2RlIGlzOiB7eyAuTG9naW5Db2RlIH19>"

What to fix: - Remove the

<

and

>

characters from your base64 strings. - Ensure the string starts with

base64://

and is followed by the encoded content, as shown above. For more details, see the section on [using custom message templates](https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#using-custom-message-templates). If you continue to have issues, double-check that your base64-encoded content is valid and that both

plaintext

and

html

fields are provided if required by your configuration [Mandatory template formats](https://www.ory.sh/docs/kratos/emails-sms/custom-email-templates#mandatory-template-formats).