Skip to main content
Following schema demonstrates a hierarchical structure (Organization > Department > Project) with inherited permissions. Each level has its own specific roles (admin/member, manager, lead) that grant certain permissions, while also inheriting permissions from the level above. Before breaking down, lets provide the completed schema: 
entity user {}   entity organization {   relation admin @user   relation member @user     action view = admin or member   action edit = admin  }   entity department {   relation parent @organization   relation manager @user     action view = parent.view or manager   action edit = parent.edit or manager }   entity project {   relation parent @department   relation lead @user     action view = parent.view or lead   action edit = parent.edit or lead  }

Breaking Down

User Entity:

entity user {}
This is a simple entity representing a user with no specific relations or actions defined. Organization Entity: 
entity organization {  relation admin @user  relation member @user    action view = admin or member  action edit = admin }
Has two relations: admin and member, both referring to users Defines two actions:
  • view: can be performed by admins or members
  • edit: can only be performed by admins

Department Entity:

entity department {  relation parent @organization  relation manager @user    action view = parent.view or manager  action edit = parent.edit or manager }
Has two relations: parent (referring to an organization) and manager (referring to a user) Defines two actions:
  • view: can be performed by those who can view the parent organization or the department manager
  • edit: can be performed by those who can edit the parent organization or the department manager
Project Entity: 
entity project {  relation parent @department  relation lead @user    action view = parent.view or lead  action edit = parent.edit or lead }
Has two relations: parent (referring to a department) and lead (referring to a user) Defines two actions:
  • view: can be performed by those who can view the parent department or the project lead
  • edit: can be performed by those who can edit the parent department or the project lead

More Advance Example

See our Facebook Groups example to learn how to apply nested hierarchies in a real-world scenario.