Global Roles

Give users roles that span the entire application (regardless of resource). This is common for internal users of your application and also for purely internal applications.

Implement the logic

Global roles are a special kind of role that aren't associated with any specific resources.

We declare global roles within a global block and grant roles and permissions to those global roles on all resources using the global keyword.


actor User { }
global {
roles = ["admin"];
}
resource Organization {
roles = ["admin", "member", "internal_admin"];
permissions = ["read", "write"];
# internal roles
"internal_admin" if global "admin";
"read" if "internal_admin";
"member" if "admin";
"read" if "member";
"write" if "admin";
}

Test the logic

To test the logic, we'll check that we can assign Alice the global "admin" role. And now, without needing to give Alice a resource-specific role on every single organization, she has the "read" permission on all organizations.


test "global admins can read all organizations" {
setup {
has_role(User{"alice"}, "admin");
}
assert allow(User{"alice"}, "read", Organization{"acme"});
assert allow(User{"alice"}, "read", Organization{"foobar"});
}