Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Hasura organization permissions

Introduction

This document outlines how to model a common organization-based permission system in Hasura. Let's assume that you have some table structure like the following:

Table Name Columns Foreign Keys
User id, name, email
Organization User id, user_id, organization_id user_id -> user.id, organization_id -> organization.id
Organization id, name

Example Data

Here we have example users, two (John and Jane) belonging to Organization ID 1, and Frank belonging to Organization ID 2:

User Organization User Organization
hasura-org-permissions-user-table hasura-org-permissions-org-user-table hasura-org-permissions-org-table

Relationships

We create the following relationships on our data:

User Organization User Organization
hasura-org-perms-user-relations hasura-org-perms-org-user-relations hasura-org-perm-org-relations

Permissions

And provision the permissions like such:

User Organization User Organization
hasura-org-perm-user-perms hasura-org-perm-org-user-perms hasura-org-permissions-org-perm

Query Results

Now when we query with our X-Hasura-User-Id set as User 1 and 3 respectively, we can see only those users in our own organizations:

User ID 1 (Org 1) User ID 3 (Org 2)
query-as-user-org-1 query-as-user-org-2
@delokman

This comment has been minimized.

Copy link

@delokman delokman commented Apr 14, 2020

like it

@sidespin-admin

This comment has been minimized.

Copy link

@sidespin-admin sidespin-admin commented Sep 15, 2020

Can this design be used for a SaaS application? Do you see any issue with that?

@GavinRay97

This comment has been minimized.

Copy link
Owner Author

@GavinRay97 GavinRay97 commented Sep 15, 2020

@sidespin-admin This works fairly well for most applications where's there a concept of "groups", "teams", "tenents", or "organizations".

If you ignore the table names, the premise is:

Some kind of organization/group-like structure <-> People (or resources) that belong to that org/group

So if your domain model has this requirement, you can probably adapt some version of this for your needs 👍

@sidespin-admin

This comment has been minimized.

Copy link

@sidespin-admin sidespin-admin commented Sep 16, 2020

@sidespin-admin This works fairly well for most applications where's there a concept of "groups", "teams", "tenents", or "organizations".

If you ignore the table names, the premise is:

Some kind of organization/group-like structure <-> People (or resources) that belong to that org/group

So if your domain model has this requirement, you can probably adapt some version of this for your needs 👍

Thank yyou, that really helps me out!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment