OpenFGA
-
|
Hi, I have written the following authorization model: To summarize:
So far, so good. Now I’m stuck with the following: I’d like to allow user to read/write other users the following way:
Its seems to me that the current modeling has enough information to process my new funtional requirements. Thus I should be able to add How would you do it? Thanks |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
|
Hi @pelmato OpenFGA acts like a directed graph, if you want the feature you're asking for you need to add a relation from the org back to the user to allow traversal going the opposite direction, for example: model
schema 1.1
type user
relations
define org: [organization]
define canRead: isMember from org or isAdmin from org
define canWrite: isAdmin from org
type organization
relations
define parent: [organization]
define directMember: [user]
define directAdmin: [user]
define isMember: directMember or directAdmin or isMember from parent
define isAdmin: directAdmin or isAdmin from parent
define canReadOrg: isMember
define canWriteOrg: isAdmin |
Beta Was this translation helpful? Give feedback.
-
|
Thank you @rhamzeh. This is the solution I finally came up with. I find it a shame that I need to insert multiple tuples for the same functional concept, but I do understand why it is so. |
Beta Was this translation helpful? Give feedback.
Hi @pelmato
OpenFGA acts like a directed graph, if you want the feature you're asking for you need to add a relation from the org back to the user to allow traversal going the opposite direction, for example: