Relationships
Relationships are the underlying datatype of Ory Permissions. They encode relations between objects, which are the resources that you want to manage to, and subjects, which are the people or things that want to access these resources. A relationship is associated with a namespace where its relation has to be defined and configured.
You can think of relationships as edges in a graph. For a simple relationship:
User:user1 is in members of Group:group1
User:user2 is in readers of Document:readme.txt
Folder:src is in parents of Document:package.json
The Zanzibar paper uses the following notation for relationships:
Group:group1#members@User:user1
Ory commonly uses the notation presented in the example as it's easier to read and understand.
The graphical representation looks like this:
User
and Group
are the subject and object namespaces respectively. user1
and group1
are the subject and object.
Relationships and permissions
Ory Permissions checks permissions based on:
- relationships
- permission rules
Think of relationships as of facts used to answer permission checks. When a user is added to a group, add a relationship from the
user (subject) to the group (object) through a members
relationship. Use the permission model to define concrete permissions the
user gets by being a member of this group.