Hello Braintrust,
Back with another hypothetical. I want to design permissions in the ontology in a “resource-based” way. Is this possible?
The analogous product experience I want to be able to support is Notion/Google Docs:
- You can see everything within your group
- You can “share” a resource (in my case, a Purchase Order) with a specific user on the platform who is outside your group
The use case here is to share a Purchase Order with a supplier.
In the simplistic case, where the “resource” that I want to share corresponds 1:1 with a single object, I think I can do this by:
- Creating a column/property on the object called
SharedUsers
, which is an array of multipass user IDs. - Updating the Row Level policy on the backing Restricted View to allow access to a row if the viewing user’s ID is in that array
- Creating a “Share” action that adds a user to that array
Does that make sense?
There is a more complicated case, though, where a “resource”, as we define it, is multiple objects. For example, I want to share a Purchase Order (PO), but a PO consists of PO Line Items, Tax, Status, etc. To share this overall PO resource properly, I would need to propagate the new user access to all the dependent objects.
What are some ideas you all have for modeling something like this? In another system (like Hasura), you can model permissions across linked objects, but to my knowledge, this is not possible in Foundry.