Modelling a users, roles, policies system with permissions in Hasura

# Modelling a users, roles, policies system with permissions in Hasura ### If your policies reside in Hasura (in tables), then you can create permissions on the actual resources table based on these policies. For example - Tables ``` users - user_id, ... teams - team_id, ... user_teams - team_id, user_id policies - policy_id, policy_type, ... user_policies - user_id, policy_id team_policies - team_id, policy_id resource_polcies - r_id, policy_id resource_table_1 - ... resource_table_2 - ... ``` Policies table might look like ``` policy_id - 1 policy_name - xxx policy_type - read|update|create|delete ``` Create the appropriate array and object relationships. And then you can create permissions on the `resources_table_1`: - (this table has an array relationship to the `resources_policy` table) - - select permission: if policy type is read and the user has either a user policy or team policy to the current resource ```json { "_and": [ { "policies": { "policy": { "policy_type": { "_eq": "read" } } } }, { "_or": [ { "policies": { "policy": { "users": { "u_id": { "_eq": "X-Hasura-User-Id" } } } } }, { "policies": { "policy": { "teams": { "team": { "users": { "u_id": { "_eq": "X-Hasura-User-Id" } } } } } } } ] } ] } ``` - other insert, update etc. permissions would use `policy_type: eq: write` etc. - this probably should be an enum, I just used text for this example. - if you can pass `x-hasura-team-id` in the auth then you can directly use it for comparing (instead of `team.users.u_id`) making the above a bit neater and efficient I have put this up in a sample heroku instance: https://hge-testing.herokuapp.com/ . You can check it out. ### If your policies reside/derived outside Hasura - you can use the Auth webhook to add `x-hasura-*` variables which indicate various policies, and use them to add permissions to your resource tables. For example, Tables: `resource_policies - (res_id, policies)` `important_docs - (doc_id, bla)` The `res_id` is reference to the actual resource table. `policies` is a JSON column - storing JSON array of external identifier of a policy (some UUID etc.). And create an array relationship on `important_docs` to `resource_policies` naming it `policies`. Then you can create permission like: ```json { "policies": { "_contains": "x-hasura-policies" } } ``` And then your auth webhook can return the session variable as a JSON array string literal: `x-hasura-policies: ["xxxx", "yyyyy"]` containing policies belonging to that user.