Inherence permissions for roles

[ofeksher]

Hi,

I'm trying to model authorization model with nested roles. For example, role:2 have editor relation with document:exp, and role:1 his parent of role:2, then role:1 has a permissions to edit document:exp.

I have tried to write the next DSL, but I got an error (editor relation used inside from allows only direct relation.):

There is some walk around for this error? or other way to model it?

Thanks

[jon-whit]

model
  schema 1.1

type user

type role
  relations
    define child: [role]
    define member: [user] or member from child
    
type document
  relations
    define editor: [role#member]

- role:2#child@role:1
- document:exp#editor@role:2#member
- role:1#member@user:jon

Check(document:1#editor@user:jon) returns {allowed: true} because user:jon is a member of role:1 and role:1 is a child of role:2 and role:2 has editor on document:exp. Here's a sample Playground link that demonstrates this.

https://play.fga.dev/stores/create/?id=01HGV3YREXM5KDMJYD72K5FMD3

NOTE: OpenFGA models relationships as a directed graph. So if you want parent and child relationships you have to create these individually. We don't have bidirectional edges in OpenFGA. Everything is directed.