I'm having an issue with authzed schema and relationships. I seem to be misunderstanding how things work.
I've got a scenario where users can be part of a group either by direct inclusion or by indirect location based criteria, location is hierarchical, with three levels -- Country, State/Province, and City.
That is to say, Anyone in Wichita, Topeka, or Dodge City is also in Kansas Anyone in Seattle, Tacoma, or Spokane is in Washington Anyone in Kansas or in Washington is in the United States Similarly, anyone who is in Pune is also in Maharashtra, and anyone in Maharashtra is in India
I've built a schema (https://play.authzed.com/s/cBfN1HhtcoVE) that supports detection of direct inclusions. I have a user_group called wichitans. It includes (naturally) users in the wichita org_unit, as well as user Samuel, who is in Seattle, but will be moving to wichita in the coming months.
I'm using the permission name "is_user_in_ex/implicits" just to understand I have grouping correct. I can see in the Expected_relations that Samuel is in Wichita explicits and Wally is in Wichita implicits which is what I expect, as wally is in the children of wichita.
Now I make a small change to line 22 of the test relationships (https://play.authzed.com/s/zeYxryGzYbaK), so that instead of assigning Wichita to the to implicits, I assign Kansas to implicits. Samual remains in Explicits, Wichita remains in Implicits (because it's a child of Kansas), but Wally is no longer in implicits. I was under the assumption that there would be a recursive evaluation, but that doesn't appear to be the case. Is there a different operator to say "I would like this relationship to be recursive" or do I need to change some schema definitions? I'd like to avoid splitting the org unit into three distinct levels if possible.
In SpiceDB, you can take the permissions computations very literally. In the first schema, where the block looks like:
We are starting our permissions walk at the
user_group
object type. When calculating theis_user_in_implicits
we are gathering up the relationships forimplicits
, which contains only the relationship:Then, we union that with the objects (note: I don't say users) that are referenced by
implicits->children
. Pseudocode for what this does could be written as:With the given the relevant
children
relationships:Will yield the subject
org_unit:wichita
.There are no further instructions for the permissions system to follow or resolve.
As noted in the sibling answer, one way to resolve this is to point to a
permission
on the child. By puttingis_user_in_implicits
on both theorg_unit
anduser_group
, we can resolve through that permission regardless of what type thechildren
relation points to. This is called "duck typing" and should be familiar from programming languages such as python and ruby.Another way to accomplish this, would be to set the type of
children
to reference not the org unit itself, but the org unit's children, as follows:This will require you to set the
optional_subject
on the relationships tochildren
, but will allow you to hoist the decision about whether to recursively descent into the data layer.I prefer to be explicit about when we're descending recursively when possible.
You can read more about how SpiceDB computes permissions in the following blog posts: