A relation type can optionally include named permissions. This provides a layer of indirection, which allows a relation type (commonly referred to as a "role") to aggregate a set of permissions.
Note that the relationship between relation types and permissions is "many to many" - meaning, a permission can be referenced by more than one relation type.
Aserto supports checking whether a user has a relationship to an object (e.g. an organization). It also supports checking whether a user has a permission on an object. This check returns "true" if ANY of the relations that the user has to this object contains the specified permission.
For example, the "owner", "editor", and "viewer" relation types that we created for the "organization" object type can all contain the "read" permission. If a user has a relation of any of these relation types to a particular organization instance, then they have the "read" permission.
Let's create four permissions: "create", "delete", "edit", and "view". We can then associate each of these permissions with one or more relations.
Click the Permissions tab in the directory sidebar, and the Organization label. We don't yet have any permissions defined.
Click the "Add" button to add the four permissions.
We should now have four permissions:
Assign permissions to relations
In order to associate a permission to one or more relation types, simply click the permission checkbox. Let's associate the "view" permission with all three relations; the "edit" permission with the "editor" and "owner" relation; and the "create" and "delete" permissions with the "owner" relation.
Next, let's grant users access to the organizations we created.