Skip to main content

Relation tuples

Relation tuples are the underlying datatype of Ory Keto's access control language. They encode relations between objects and subjects. A relation tuple is associated with a namespace where its relation has to be defined and configured. The following BNF grammar describes the encoding used in the documentation and within Ory Keto.

note

The namespace is often omitted in examples for readability, but is technically always required.

<relation-tuple> ::= <object>'#'relation'@'<subject>
<object> ::= namespace':'object_id
<subject> ::= subject_id | <subject_set>
<subject_set> ::= <object>'#'relation

A relation tuple

object#relation@subject

can be translated into the english sentence "Subject has relation on object".

Effect of a relation tuple

The effect of a relation tuple is the effect of its relation as defined in the namespace configuration. It can be one of union (boolean or), intersection (boolean and), or exclusion (boolean not).

Basic Example

Head over to the basic full feature example to see an example with some context.