Testing out the new Client Permissions to limit write/delete permissions to what tuples a client key can make changes to. Just had a quick question about how it works for attributes that may be extended from the root module.
If I have a company attribute in the core.fga file.
And then I have another module that is named appB.fga and they use the extend type company.
If I create the client key and I limit them to write/delete in the appB module, would that they allow them to write/delete objects with the company type?
Hi @stephenbawks1
Maybe the docs here would help clarify.
Specifically the section in the attached screenshot.
The TLDR - the module is from the relation on the object type, if the relation has no override, it inherits the object type’s module.
So let’s say you have this
model
schema 1.2
type user # module: core, file: core.fga
type company # module: core, file: core.fga
relations
define admin: [user]
define member: [user] or admin
define project_creator: [user] or admin # extended by: module: appB
| Tuple |
Relation Module |
Object Type Module |
Module used for enforcement |
user=user:anne, admin, company:A |
core |
core |
core |
user=user:anne, project_creator, company:A |
appB |
core |
appB |