Ory Keto knows the concept of namespaces to organize relation tuples. Namespaces have a configuration that defines the relations, and some other important values (see reference). Unlike other applications, Ory Keto does not isolate namespaces. Especially, subject sets can cross-reference from one namespace to another. The namespaces' purpose is to split up the data into coherent partitions, each with its corresponding configuration. Internally each namespace has its own table in the database to allow setting individual storage specific options.
Scoping of Objects
The application can also use namespaces to scope objects because Ory Keto only compares objects within a namespace. For example, if Ory Keto knows the following relation tuples
// user1 has acces to the directory foo
// user2 has access to the file foo
both of the following check requests
// Does user2 have access to the directory foo?
// Does user1 have access to the file foo?
will evaluate to false (a.k.a. rejected).
Vice versa, all relation tuples containing an object have to be in the same namespace to reference the same object.
Because namespaces each come with an individual configuration that can even modify some storage specific options, it is required to manually review and run migrations on namespace configuration updates. Please refer to the namespace migration CLI reference and running in production guide to learn more about that process.
Namespaces should be named after the plural of the type of objects they describe
organizations). Relations within a namespace should be
a word that describes what relation a subject has towards an object. As a rule
of thumb, every relation tuple should translate to an english sentence like so:
Subject has relation on object which is one of the namespace.
// good examples
// bad examples
// namespace is not describing homogenous type of objects
// relation describes a relation of the object towards the subject