Skip to main content


Relationships are the underlying datatype of Ory Permissions. They encode relations between objects, which are the resources that you want to manage to, and subjects, which are the people or things that want to access these resources. A relationship is associated with a namespace where its relation has to be defined and configured.

You can think of relationships as edges in a graph. For a simple relationship:

User:user1 is in members of Group:group1
User:user2 is in readers of Document:readme.txt
Folder:src is in parents of Document:package.json

The Zanzibar paper uses the following notation for relationships:


Ory commonly uses the notation presented in the example as it's easier to read and understand.

The graphical representation looks like this:

User and Group are the subject and object namespaces respectively. user1 and group1 are the subject and object.

Relationships and permissions

Ory Permissions checks permissions based on:

  • relationships
  • permission rules

Think of relationships as of facts used to answer permission checks. When a user is added to a group, add a relationship from the user (subject) to the group (object) through a members relationship. Use the permission model to define concrete permissions the user gets by being a member of this group.