Hey guys, I have a question about where to stop with the namespaces, i.e. when to move from objects to subject-ids. The userset rewrite example (https://www.ory.sh/docs/keto/guides/userset-rewrites) defines namespaces for Users but also users as a subject-id. Let’s assume I don’t need the manager relation in the User namespace. How do you differentiate between the subject-id-users and object-id-users, what’s the point of having a namespace called User when you might as well just stop at Group? By my understanding subject-ids do not belong to a particular namespace or do they implicitly? The example defines two Users of the same name here, the first one becomes a subject-id user, the second one (the capital P one) becomes an object-id user:

{
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_id": "patrik"
  },
  {
    "namespace": "Group",
    "object": "developer",
    "relation": "members",
    "subject_set": {
      "namespace": "User",
      "object": "Patrik"
    }
  }

Where this is the namespace config:

class User implements Namespace {
  related: {
    manager: User[]
  }
}

class Group implements Namespace {
  related: {
    members: (User | Group)[]
  }
}

What’s the point of this? When do I use which e.g. to check for a permission? Is the second relation-tuple saying any users that Patrik (with a capital P) (might) manage are also part of the developer Group?

You would be best off by always using namespaces, as we plan to fade out untyped subjects: https://github.com/ory/keto/issues/1092

thanks!

@steep-lamp-91158 am I understanding this right? The relation is optional in a subjectSet? Or is the relation even optional in the part before the @?

let me answer for Patrik. Yes you understand that right. A subject set can leave the relation empty which should have the effect of a wildcard, meaning “any relation that is defined on that namespace”

missed this thread... it is less of a wildcard, but rather just references the object in general (so objects are used as a subject) or to frame it the way Hans wrote it: "any relation that is defined on that namespace, even a non-existent relation"