zepatrik
commented
4 months ago I agree that the docs are confusing and incomplete here. The console is not super helpful either (and partially lacking functionality), but here are the details on how to make it work:
You are mixing subject sets (typed subjects) and subject IDs (untyped). What you want to do is create the relationships with the subject set, which you can do in the console like this:
The permission check then also has to use subject sets: /relation-tuples/check?namespace=Document&object=docA&relation=share&subject_set.object=userA&max-depth=100&subject_set.namespace=User&subject_set.relation=
In general you should probably never use subject IDs, but always the subject set instead. We do plan to deprecate the subject ID for this confusion and no real benefit.
I will keep this issue open so that we keep track of the docs changes.
Preflight checklist
Ory Network Project
https://gracious-hypatia-b9te8t22yp.projects.oryapis.com
Describe the bug
Following steps in this guide: https://www.ory.sh/docs/keto/modeling/create-permission-model
Created a bug here as the documentation should make clearer how to the setup relationships to make the permission model work.
Please let me know if I understand something fundamentally wrong about the way the permission model is supposed to work :)
Reproducing the bug
permissions-v5.tsuserAisownersofFolder:folderAfolderAisparentsofDocument:docAExpected:
/relation-tuples/checkreturns{"allowed": true}Actual:/relation-tuples/checkreturns{"allowed": false}Relevant log output
No response
Relevant configuration
No response
Version
v0.13.0-alpha.0
On which operating system are you observing this issue?
Ory Network
In which environment are you deploying?
Ory Network
Additional Context
Permission v3 and v4 don't work. Permission v5 works again (which is marked as optional) :D