You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/getting-started/modeling.mdx
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -252,9 +252,11 @@ The same `delete` action can also be defined using the **permission** keyword, a
252
252
Using the `action` or `permission` keywords yields the same authorization logic. We have two keywords for defining a permission because most, but not all, permissions are based on actions. Learn more in our [Nested Hierarchies](/modeling-guides/rebac/impersonation) section.
253
253
</Note>
254
254
255
-
The `and`operation creates an intersection between relations but is not tied to specific entities. For example, in the following model, users can see a repository if they are a member or admin of any organization.
255
+
The `and`operator intersects the resolved user sets of its operands.
256
256
257
-
Let's say `user:1` is a member of `organization:1` and an admin of `organization:2`. If `repository:1` belongs to `organization:1`, then `user:1` has access to delete `repository:1`.
257
+
For an expression such as `org.member and org.admin`, Permify evaluates `org.member` and `org.admin` independently across all organizations reachable through `org`, and then intersects the resulting user sets.
258
+
259
+
Use this pattern when you want intersection across the users reachable through all related organizations:
258
260
259
261
```perm
260
262
entity user {}
@@ -270,9 +272,9 @@ entity repository {
270
272
}
271
273
```
272
274
273
-
This is not always what you want. If you want to tie the relation to a specific organization, so that a user must be an admin and a member of the same organization to have the delete permission, create the permission on the organization and have the repository re-use the permission check.
275
+
If a repository is related to multiple organizations, a user can satisfy `org.member and org.admin` by being a `member` of one related organization and an `admin` of another.
274
276
275
-
Here's an example of that:
277
+
If you need both relations to be satisfied on the same organization, define the intersection on `organization` and reference that permission from `repository`:
276
278
277
279
```perm
278
280
entity user {}
@@ -287,11 +289,11 @@ entity organization {
287
289
entity repository {
288
290
relation org @organization
289
291
290
-
permission delete = org.delete
292
+
permission delete = org.delete
291
293
}
292
294
```
293
295
294
-
This ensures that if the user is not a member and admin of the same organization, the repository delete permission check will fail.
296
+
In this version, `member and admin` is evaluated within each organization first, so `repository.delete` is granted only if the user satisfies both relations on at least one related organization.
0 commit comments