blob: 7f66559c18f564ebb27c22f021ed5b71ef4a0a48 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# SpiceDB Schema
## Object Type
> An Object Type definition is used to represent a new type of object.
This is like a class definition in a OOP language.
```spicedb
definition user {}
definition document {}
```
## Caveat
This a condition that can be applied to a relationship. The relationship is only
considered present if the caveat evaluates to true at query time
## Relation
Defines how two objects (or an object and subject) can relate to one another.
A user can read a document if they are a reader of the document.
A document can be read by readers.
```spicedb
defintion user {}
definition document {
relation reader: user
}
```
### Subject Relation
Relations can also "contain" references to other relations/permissions.
A user can be a member of a group A.
The members of group B can be members of a group A.
```spicedb
definition user {}
definition group {
relation member: user | group#member
}
```
### Wildcards
A relation can specify a wildcard to indicate that a grant can be made to the
resource type as a whole.
All users can view the resource.
The resource is viewable by all users.
```spicedb
definition user {}
definition resource {
relation viewer: user | user:*
}
```
### Naming
Relations should be named as nouns.
* `{relation name} (of the object)`
* `reader` of the document
* `writer` of the document
* `member` of the group
* `parent` of the group
## Permissions
A permission defines a computed set of subjects that have a permission of some
kind on the parent object.
A user can be a reader or writer of a document.
When a user is a writer of a document they have the view and edit permission on
the document. When a user is a reader of a document they have the view
permission on the document.
```spicedb
definition user {}
definition document {
relation writer: user
relation reader: user
permission edit = writer
permission view = reader + writer
}
```
### Operators
- `+`: Union operator to join different relations or permissions
- `&`: Intersection operator to find relations or permissions with both sets.
- `-`: Exclusion operator to exclude relations/permissions on the right.
- `->`: Array operator for walking a hierarchy of relations defined for an object of a subject.
### Naming
Permissions should be named as verbs or nouns.
* `is/can {permission name} (the object)`
* can `read` the object
* can `write` the object
* can `delete` the object
* is `member` of the object
## Resources
* https://authzed.com/docs/spicedb/concepts/schema
|
