Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hasura organization permissions

Introduction

This document outlines how to model a common organization-based permission system in Hasura. Let's assume that you have some table structure like the following:

Table Name Columns Foreign Keys
User id, name, email
Organization User id, user_id, organization_id user_id -> user.id, organization_id -> organization.id
Organization id, name

Example Data

Here we have example users, two (John and Jane) belonging to Organization ID 1, and Frank belonging to Organization ID 2:

User Organization User Organization
hasura-org-permissions-user-table hasura-org-permissions-org-user-table hasura-org-permissions-org-table

Relationships

We create the following relationships on our data:

User Organization User Organization
hasura-org-perms-user-relations hasura-org-perms-org-user-relations hasura-org-perm-org-relations

Permissions

And provision the permissions like such:

User Organization User Organization
hasura-org-perm-user-perms hasura-org-perm-org-user-perms hasura-org-permissions-org-perm

Query Results

Now when we query with our X-Hasura-User-Id set as User 1 and 3 respectively, we can see only those users in our own organizations:

User ID 1 (Org 1) User ID 3 (Org 2)
query-as-user-org-1 query-as-user-org-2
@delokman
Copy link

delokman commented Apr 14, 2020

like it

@sidespin-admin
Copy link

sidespin-admin commented Sep 15, 2020

Can this design be used for a SaaS application? Do you see any issue with that?

@GavinRay97
Copy link
Author

GavinRay97 commented Sep 15, 2020

@sidespin-admin This works fairly well for most applications where's there a concept of "groups", "teams", "tenents", or "organizations".

If you ignore the table names, the premise is:

Some kind of organization/group-like structure <-> People (or resources) that belong to that org/group

So if your domain model has this requirement, you can probably adapt some version of this for your needs 👍

@sidespin-admin
Copy link

sidespin-admin commented Sep 16, 2020

@sidespin-admin This works fairly well for most applications where's there a concept of "groups", "teams", "tenents", or "organizations".

If you ignore the table names, the premise is:

Some kind of organization/group-like structure <-> People (or resources) that belong to that org/group

So if your domain model has this requirement, you can probably adapt some version of this for your needs 👍

Thank yyou, that really helps me out!

@maxcan
Copy link

maxcan commented Jun 23, 2021

@GavinRay97 I think the docs need to clear up how arrays work in permissions. I've also figured this out on my own, but its very unobvious that you can use this:

image

for determining if field of an object of an array matches a variable

@wackyapps
Copy link

wackyapps commented Oct 14, 2021

Very useful indeed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment