Skip to content

Add a page under modeling around how to deal with object creation #963

New issue
New issue
Open
Open
Add a page under modeling around how to deal with object creation#963
Labels
documentationImprovements or additions to documentation
@rhamzeh

Description

@rhamzeh
rhamzeh
opened on Feb 20, 2025

We get a lot of questions around how to deal with the can_create_x permission - whether to add it on the x type or somewhere else.

We should add our recommendation of adding it on an upper type

Some context:

Normally when you are creating an object, you are creating it in the context of something - e.g. create a document in a folder, a team in an org, a photo in an album.
What happens if the thing exists outside of that e.g. can the user create an org? In those cases, our advice is to create a top level system object, as you can attach the create permission on that as well as attach other functionality to it.
You can find an example of that in our experimental access control for OpenFGA where can_call_create_store lives under system.

Similar & related questions from the CNCF Channel:

https://cloud-native.slack.com/archives/C06G1NNH47N/p1740011641126949
https://cloud-native.slack.com/archives/C06G1NNH47N/p1722965268391039
https://cloud-native.slack.com/archives/C06G1NNH47N/p1722965001795339
https://cloud-native.slack.com/archives/C06G1NNH47N/p1712581174806949
https://cloud-native.slack.com/archives/C06G1NNH47N/p1718961169696129

Metadata

Metadata

Assignees

No one assigned

    Labels

    documentationImprovements or additions to documentation

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions