Permission

TailorDB's permission system provides enhanced flexibility and performance for controlling access to your data. It introduces two key resources that work together to provide comprehensive access control:

  • Permission - Record-level access control
  • GQLPermission - GraphQL operation-level access control

Permission (Record-Level Control)

Permission is defined within the Type resource and controls which users can operate on which records.

Basic Structure

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_tailordb_type&quot; &quot;example&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)">  namespace    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)">  name         </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Example&quot;</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  fields </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-token-comment)"># field definitions</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">    read   </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">    update </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">    delete </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* policies */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">Example: tailordb.#Type </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Name: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Example</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Fields: {</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-token-comment)">// field definitions</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Permission: {</span></span>
<span><span style="color: var(--shiki-color-text)">    Create: [] </span><span style="color: var(--shiki-token-comment)">// policies</span></span>
<span><span style="color: var(--shiki-color-text)">    Read: [] </span><span style="color: var(--shiki-token-comment)">// policies</span></span>
<span><span style="color: var(--shiki-color-text)">    Update: [] </span><span style="color: var(--shiki-token-comment)">// policies</span></span>
<span><span style="color: var(--shiki-color-text)">    Delete: [] </span><span style="color: var(--shiki-token-comment)">// policies</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Permission Types

Each permission type has different semantics:

Read Permission

Read Permission act as automatic filters. Only records that match at least one policy can be retrieved.

<span><span style="color: var(--shiki-color-text)">permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  read </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">        { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;userId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Users can read their own records&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">Permission: {</span></span>
<span><span style="color: var(--shiki-color-text)">  Read: [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">        Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">userId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">        Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">        Right: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }]</span></span>
<span><span style="color: var(--shiki-color-text)">      Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Users can read their own records</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Create/Update/Delete Permissions

These Permissions act as validation rules. If a record doesn't match any policy, the operation is prohibited and returns a permission denied error.

<span><span style="color: var(--shiki-color-text)">permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">        { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators can create any record&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">Permission: {</span></span>
<span><span style="color: var(--shiki-color-text)">  Create: [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">        Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">        Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">        Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }]</span></span>
<span><span style="color: var(--shiki-color-text)">      Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators can create any record</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Policy Evaluation

Multiple policies can be defined for each permission type. The evaluation follows these rules:

  • Explicit allow required: If no policy matches, access is denied by default (implicit deny)
  • Explicit deny takes precedence: A policy with permit = "deny" always overrides allow policies
  • All conditions must match: Within a policy, all conditions must be satisfied for the policy to match

Operands

The following operands can be used in conditions:

record

Uses the value of a specified field from the record. Cannot be used in Update Permission (use old_record or new_record instead).

Supported field types: String, UUID, Enum, Boolean, and their array forms.

<span><span style="color: var(--shiki-token-comment)"># Check if the record&#39;s status is &quot;TODO&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;status&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the record&#39;s status is &quot;TODO&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

old_record / new_record

Used in Update Permission to reference the existing or updated record values. Cannot be used in Create/Read/Delete Permissions.

The supported field types are the same as for record.

<span><span style="color: var(--shiki-token-comment)"># Check if the old record&#39;s assigneeId matches the user ID</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { old_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the old record&#39;s assigneeId matches the user ID</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandOldRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

user

Uses the value of a specified field from the user's AttributeMap (defined in the Auth service).

<span><span style="color: var(--shiki-token-comment)"># Check if the user&#39;s role is &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the user&#39;s role is &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

value

Uses a specified value directly. Supports String, Boolean, and their array types.

<span><span style="color: var(--shiki-token-comment)"># Check if the record&#39;s status is in a specific set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;status&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;in&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">&quot;IN_PROGRESS&quot;</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the record&#39;s status is in a specific set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.In</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: [</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">IN_PROGRESS</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Operators

The following operators are supported:

eq / ne

Equality and inequality comparison.

<span><span style="color: var(--shiki-token-comment)"># Check if the record&#39;s status is &quot;TODO&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;status&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-token-comment)"># Check if the user&#39;s role is not &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ne&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the record&#39;s status is &quot;TODO&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the user&#39;s role is not &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Ne</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

in / nin

Array membership and non-membership.

<span><span style="color: var(--shiki-token-comment)"># Check if the record&#39;s status is in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;status&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;in&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">&quot;IN_PROGRESS&quot;</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span><span style="color: var(--shiki-token-comment)"># Check if the user&#39;s role is not in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;nin&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string_array </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">&quot;GUEST&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">&quot;USER&quot;</span><span style="color: var(--shiki-color-text)">] } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the record&#39;s status is in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.In</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: [</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">IN_PROGRESS</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the user&#39;s role is not in a set of values</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Nin</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: [</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">GUEST</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">USER</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Complete Example

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_tailordb_type&quot; &quot;task&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)">  namespace    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)">  name         </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task&quot;</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  fields </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    title </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">      type        </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;string&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      required    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task title&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">    status </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">      type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;enum&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      allowed_values : [</span></span>
<span><span style="color: var(--shiki-color-text)">        {</span></span>
<span><span style="color: var(--shiki-color-text)">          value       </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task is pending&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        },</span></span>
<span><span style="color: var(--shiki-color-text)">        {</span></span>
<span><span style="color: var(--shiki-color-text)">          value       </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;IN_PROGRESS&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task is currently being worked on&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        },</span></span>
<span><span style="color: var(--shiki-color-text)">        {</span></span>
<span><span style="color: var(--shiki-color-text)">          value       </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;DONE&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task has been completed&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      hooks </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">        create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;&#39;TODO&#39;&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Task status&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">    assigneeId </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">      type </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;uuid&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      hooks </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">        create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;user.id&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ID of the user assigned to this task&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  permission </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    create </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators can create any task&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      },</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } },</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;status&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Users can create tasks assigned to themselves with TODO status&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    read </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators can read all tasks&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      },</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Users can read tasks assigned to them&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    update </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators can update any task&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      },</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { old_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } },</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { new_record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Users can update tasks assigned to them&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    delete </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">          { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators can delete any task&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">Task: tailordb.#Type </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Name: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Fields: {</span></span>
<span><span style="color: var(--shiki-color-text)">    title: {</span></span>
<span><span style="color: var(--shiki-color-text)">      Type:        tailordb.#TypeString</span></span>
<span><span style="color: var(--shiki-color-text)">      Required:    </span><span style="color: var(--shiki-token-constant)">true</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task title</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">    status: {</span></span>
<span><span style="color: var(--shiki-color-text)">      Type: tailordb.#TypeEnum</span></span>
<span><span style="color: var(--shiki-color-text)">      AllowedValues: [</span></span>
<span><span style="color: var(--shiki-color-text)">        {Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task is pending</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">}</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        {Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">IN_PROGRESS</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task is currently being worked on</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">}</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        {Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">DONE</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-punctuation)">,</span><span style="color: var(--shiki-color-text)"> Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task has been completed</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">}</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      Hooks: {</span></span>
<span><span style="color: var(--shiki-color-text)">        Create: common.#Script </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Expr: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">&#39;TODO&#39;</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">    assigneeId: {</span></span>
<span><span style="color: var(--shiki-color-text)">      Type: tailordb.#TypeUUID</span></span>
<span><span style="color: var(--shiki-color-text)">      Hooks: {</span></span>
<span><span style="color: var(--shiki-color-text)">        Create: common.#Script </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Expr: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">user.id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ID of the user assigned to this task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Permission: {</span></span>
<span><span style="color: var(--shiki-color-text)">    Create: [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">          Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">          Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">          Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">        }]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators can create any task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [</span></span>
<span><span style="color: var(--shiki-color-text)">          {</span></span>
<span><span style="color: var(--shiki-color-text)">            Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">            Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">            Right: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">          {</span></span>
<span><span style="color: var(--shiki-color-text)">            Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">            Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">            Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">TODO</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Users can create tasks assigned to themselves with TODO status</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    Read: [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">          Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">          Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">          Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">        }]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators can read all tasks</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">          Left: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">          Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">          Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">        }]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Users can read tasks assigned to them</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    Update: [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">          Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">          Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">          Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">        }]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators can update any task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [</span></span>
<span><span style="color: var(--shiki-color-text)">          {</span></span>
<span><span style="color: var(--shiki-color-text)">            Left: tailordb.#PermissionOperandOldRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">            Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">            Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">          {</span></span>
<span><span style="color: var(--shiki-color-text)">            Left: tailordb.#PermissionOperandNewRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">            Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">            Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">              Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">            }</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        ]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Users can update tasks assigned to them</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">    Delete: [</span></span>
<span><span style="color: var(--shiki-color-text)">      {</span></span>
<span><span style="color: var(--shiki-color-text)">        Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">          Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">          Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">          Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">            Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">          }</span></span>
<span><span style="color: var(--shiki-color-text)">        }]</span></span>
<span><span style="color: var(--shiki-color-text)">        Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">        Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators can delete any task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

GQLPermission (GraphQL-Level Control)

GQLPermission is defined as a separate resource and controls which users can execute specific GraphQL operations. This setting does not affect SQL execution via the Function service.

Basic Structure

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_tailordb_gql_permission&quot; &quot;example&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)">  namespace    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)">  type         </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.example.name</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  policies </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* conditions */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">      actions    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-comment)">/* actions */</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">      permit     </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-comment)"># or &quot;deny&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Policy description&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">ExampleGQLPermission: tailordb.#GQLPermission </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Type: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Example</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)"> </span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Policies: [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      Conditions: [] </span><span style="color: var(--shiki-token-comment)">// conditions</span></span>
<span><span style="color: var(--shiki-color-text)">      Actions: [] </span><span style="color: var(--shiki-token-comment)">// actions</span></span>
<span><span style="color: var(--shiki-color-text)">      Permit: tailordb.#PermissionPermit.Allow </span><span style="color: var(--shiki-token-comment)">// or Deny</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Policy description</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Conditions

The method for defining Conditions is basically the same as Permission. Just note that record / old_record / new_record operands are not available here.

Actions

Each GraphQL operation is categorized into the following actions:

ActionGraphQL operation
allAll GraphQL operations for the type
createcreate<Type> mutation
readget<Type>, get<Type>By, list<Type>s queries
updateupdate<Type> mutation
deletedelete<Type> mutation
aggregateaggregate<Type> query
bulk_upsertbulkUpsert<Type>, bulkUpsert<Type>By mutations

Complete Example

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_tailordb_gql_permission&quot; &quot;task&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  workspace_id </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_workspace.demo.id</span></span>
<span><span style="color: var(--shiki-color-text)">  namespace    </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)">  type         </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.task.name</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  policies </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">        { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      actions     </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">&quot;all&quot;</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">      permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Administrators have full access to all GraphQL operations&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      conditions </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span></span>
<span><span style="color: var(--shiki-color-text)">        { left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_loggedIn&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { boolean </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      actions     </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> [</span><span style="color: var(--shiki-token-string-expression)">&quot;create&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">&quot;read&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string-expression)">&quot;update&quot;</span><span style="color: var(--shiki-color-text)">]</span></span>
<span><span style="color: var(--shiki-color-text)">      permit      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;allow&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">      description </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;Authenticated users can create, read, and update tasks&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">TaskGQLPermission: tailordb.#GQLPermission </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Type: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Task</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">  Policies: [</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">        Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">        Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">        Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }]</span></span>
<span><span style="color: var(--shiki-color-text)">      Actions: [tailordb.#GQLPermissionAction.All]</span></span>
<span><span style="color: var(--shiki-color-text)">      Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Administrators have full access to all GraphQL operations</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">    {</span></span>
<span><span style="color: var(--shiki-color-text)">      Conditions: [{</span></span>
<span><span style="color: var(--shiki-color-text)">        Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_loggedIn</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">        Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">        Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">          Value: </span><span style="color: var(--shiki-token-constant)">true</span></span>
<span><span style="color: var(--shiki-color-text)">        }</span></span>
<span><span style="color: var(--shiki-color-text)">      }]</span></span>
<span><span style="color: var(--shiki-color-text)">      Actions: [</span></span>
<span><span style="color: var(--shiki-color-text)">        tailordb.#GQLPermissionAction.Create</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        tailordb.#GQLPermissionAction.Read</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">        tailordb.#GQLPermissionAction.Update</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">      ]</span></span>
<span><span style="color: var(--shiki-color-text)">      Permit:      tailordb.#PermissionPermit.Allow</span></span>
<span><span style="color: var(--shiki-color-text)">      Description: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">Authenticated users can create, read, and update tasks</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span><span style="color: var(--shiki-token-punctuation)">,</span></span>
<span><span style="color: var(--shiki-color-text)">  ]</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Auth Integration

User attributes referenced in permissions are defined through the Auth service configuration.

User Profile Configuration

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_auth_user_profile_config&quot; &quot;user&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  tailordb_config </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    namespace      </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb.demo.namespace</span></span>
<span><span style="color: var(--shiki-color-text)">    type           </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> tailor_tailordb_type.user.name</span></span>
<span><span style="color: var(--shiki-color-text)">    username_field </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;email&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    attribute_map </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">      </span><span style="color: var(--shiki-token-comment)"># Reference the value of the role field as &quot;role&quot; using the &quot;user&quot; operand</span></span>
<span><span style="color: var(--shiki-color-text)">      role </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;role&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">UserProfileProviderConfig: auth.#TailorDBProviderConfig </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Namespace:     tailordb.Namespace</span></span>
<span><span style="color: var(--shiki-color-text)">  Type:          types.User.Name</span></span>
<span><span style="color: var(--shiki-color-text)">  UsernameField: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">email</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  AttributeMap: {</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-token-comment)">// Reference the value of the role field as &quot;role&quot; using the &quot;user&quot; operand</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Machine User Configuration

<span><span style="color: var(--shiki-token-function)">resource</span><span style="color: var(--shiki-color-text)"> &quot;tailor_auth_machine_user&quot; &quot;admin&quot; {</span></span>
<span><span style="color: var(--shiki-color-text)">  name </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;admin&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  attribute_map </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-token-comment)"># Set the role attribute to &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    role </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { string </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;ADMIN&quot;</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>
<span><span style="color: var(--shiki-color-text)">auth.#MachineUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  Name: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">admin</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  AttributeMap: {</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-token-comment)">// Set the role attribute to &quot;ADMIN&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">role</span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">ADMIN</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

Built-in User Attributes

In addition to custom attributes, two built-in fields are always available:

_id

The user's unique identifier.

<span><span style="color: var(--shiki-token-comment)"># Check if the user ID matches the record&#39;s assigneeId</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_id&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { record </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;assigneeId&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the user ID matches the record&#39;s assigneeId</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_id</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandRecord </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">assigneeId</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

_loggedIn

Boolean indicating whether the user is authenticated.

<span><span style="color: var(--shiki-token-comment)"># Check if the user is logged in</span></span>
<span><span style="color: var(--shiki-color-text)">{ left </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { user </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;_loggedIn&quot;</span><span style="color: var(--shiki-color-text)"> }, operator </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-string-expression)">&quot;eq&quot;</span><span style="color: var(--shiki-color-text)">, right </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { value </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> { boolean </span><span style="color: var(--shiki-token-keyword)">=</span><span style="color: var(--shiki-color-text)"> </span><span style="color: var(--shiki-token-constant)">true</span><span style="color: var(--shiki-color-text)"> } } }</span></span>
<span></span>
<span><span style="color: var(--shiki-token-comment)">// Check if the user is logged in</span></span>
<span><span style="color: var(--shiki-color-text)">{</span></span>
<span><span style="color: var(--shiki-color-text)">  Left: tailordb.#PermissionOperandUser </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-color-text)">&quot;</span><span style="color: var(--shiki-token-string-expression)">_loggedIn</span><span style="color: var(--shiki-color-text)">&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">  Operator: tailordb.#PermissionOperator.Eq</span></span>
<span><span style="color: var(--shiki-color-text)">  Right: tailordb.#PermissionOperandValue </span><span style="color: var(--shiki-token-keyword)">&amp;</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">    Value: </span><span style="color: var(--shiki-token-constant)">true</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Operation Behavior

Unlike GQLPermission, Permission is enforced at the SQL level as well.

For detailed information about how the settings affect SQL operations when accessing TailorDB via the Function service, see Permission Enforcement.

GraphQL Operation Behavior

When accessing TailorDB via GraphQL, Permission required for each operation is determined based on the corresponding equivalent SQL:

Create Operations

<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  createTask(input: { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;New task&quot;</span><span style="color: var(--shiki-color-text)"> }) {</span></span>
<span><span style="color: var(--shiki-color-text)">    id</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: INSERT INTO "Task" ("title") VALUES ('New task') RETURNING "id"

Required Permissions:

  • Permission: Create, Read (for returning created record)
  • GQLPermission: Create

Read Operations

<span><span style="color: var(--shiki-token-keyword)">query</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  tasks(query: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: { </span><span style="color: var(--shiki-token-string)">eq</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)"> } }, first: </span><span style="color: var(--shiki-token-constant)">10</span><span style="color: var(--shiki-color-text)">) {</span></span>
<span><span style="color: var(--shiki-color-text)">    edges {</span></span>
<span><span style="color: var(--shiki-color-text)">      node { id, title }</span></span>
<span><span style="color: var(--shiki-color-text)">    }</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: SELECT "id", "title" FROM "Task" WHERE "status" = 'TODO' LIMIT 10

Required Permissions:

  • Permission: Read
  • GQLPermission: Read

Update Operations

<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  updateTask(</span></span>
<span><span style="color: var(--shiki-color-text)">    id: </span><span style="color: var(--shiki-token-string-expression)">&quot;&lt;uuid&gt;&quot;</span></span>
<span><span style="color: var(--shiki-color-text)">    input: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;DONE&quot;</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">    condition: { </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: { </span><span style="color: var(--shiki-token-string)">eq</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;IN_PROGRESS&quot;</span><span style="color: var(--shiki-color-text)"> } }</span></span>
<span><span style="color: var(--shiki-color-text)">  ) {</span></span>
<span><span style="color: var(--shiki-color-text)">    id</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: UPDATE "Task" SET "status" = 'DONE' WHERE "id" = 'uuid' AND "status" = 'IN_PROGRESS' RETURNING "id"

Required Permissions:

  • Permission: Update, Read (for candidate record retrieval and returning updated record)
  • GQLPermission: Update

Delete Operations

<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  deleteTask(id: </span><span style="color: var(--shiki-token-string-expression)">&quot;&lt;uuid&gt;&quot;</span><span style="color: var(--shiki-color-text)">)</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: DELETE FROM "Task" WHERE "id" = 'uuid'

Required Permissions:

  • Permission: Delete, Read (for candidate record retrieval)
  • GQLPermission: Delete

Bulk Upsert Operations

<span><span style="color: var(--shiki-token-keyword)">mutation</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  bulkUpsertTasksBy(</span></span>
<span><span style="color: var(--shiki-color-text)">    field: title</span></span>
<span><span style="color: var(--shiki-color-text)">    input: [</span></span>
<span><span style="color: var(--shiki-color-text)">      { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;Task 1&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;TODO&quot;</span><span style="color: var(--shiki-color-text)"> },</span></span>
<span><span style="color: var(--shiki-color-text)">      { </span><span style="color: var(--shiki-token-string)">title</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;Task 2&quot;</span><span style="color: var(--shiki-color-text)">, </span><span style="color: var(--shiki-token-string)">status</span><span style="color: var(--shiki-color-text)">: </span><span style="color: var(--shiki-token-string-expression)">&quot;DONE&quot;</span><span style="color: var(--shiki-color-text)"> }</span></span>
<span><span style="color: var(--shiki-color-text)">    ]</span></span>
<span><span style="color: var(--shiki-color-text)">  )</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: INSERT INTO "Task" ("title", "status") VALUES ('Task 1', 'TODO'), ('Task 2', 'DONE') ON CONFLICT ("title") DO UPDATE SET "status" = EXCLUDED."status"

Required Permissions:

  • Permission: Create (INSERT case), Update + Read (UPDATE case)
  • GQLPermission: BulkUpsert

Aggregate Operations

<span><span style="color: var(--shiki-token-keyword)">query</span><span style="color: var(--shiki-color-text)"> {</span></span>
<span><span style="color: var(--shiki-color-text)">  aggregateTasks {</span></span>
<span><span style="color: var(--shiki-color-text)">    groupBy { status }</span></span>
<span><span style="color: var(--shiki-color-text)">    count</span></span>
<span><span style="color: var(--shiki-color-text)">  }</span></span>
<span><span style="color: var(--shiki-color-text)">}</span></span>
<span></span>

SQL Equivalent: SELECT "status", COUNT(*) FROM "Task" GROUP BY "status"

Required Permissions:

  • Permission: Read
  • GQLPermission: Aggregate

Compatibility

  • When both Permission and RecordPermission are defined, Permission takes precedence
  • When both GQLPermission and TypePermission are defined, GQLPermission takes precedence
  • This ensures backward compatibility while enabling gradual migration