Global Roles
Give users roles that span the entire application (regardless of resource). This is common for internal users of your application and also for purely internal applications.
Implement the logic
Global roles are a special kind of role that aren't associated with any specific resources.
We declare global roles within a global
block and grant roles and permissions to those
global roles on all resources using the global
keyword.
actor User { }global { roles = ["admin"];}resource Organization { roles = ["admin", "member", "internal_admin"]; permissions = ["read", "write"]; # internal roles "internal_admin" if global "admin"; "read" if "internal_admin"; "member" if "admin"; "read" if "member"; "write" if "admin";}
Test the logic
To test the logic, we'll check that we can assign Alice the global "admin" role. And now, without needing to give Alice a resource-specific role on every single organization, she has the "read" permission on all organizations.
test "global admins can read all organizations" { setup { has_role(User{"alice"}, "admin"); } assert allow(User{"alice"}, "read", Organization{"acme"}); assert allow(User{"alice"}, "read", Organization{"foobar"});}