Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

How have you all been doing super users? I.e. users that can access things they aren't related to.

My method has been to use semi-rbac, where users are assigned a role (e.g. roles:SUPER_USER#member@userId) and then using the * subject

with permissions for namespace:*#permission@&lt;roles:SUPER_ADMIN#member&gt;

when I'm performing a check, I check first for the specific object permission, then for the admin permission. There's probably a better way of doing this now with the Ory Permission Language, but I haven't looking into migrating to it yet

Thanks for the reply! That seems like a good way to do it. I landed on something like:

```class User implements Namespace {}


class Group implements Namespace {
  related: {
    members: (User)[]
  }
}

class Account implements Namespace {
  related: {
    platformAdmins: (SubjectSet&lt;Group, "members"&gt;)[]
  }
}```
And then I just add the admins group to every account that gets created.