MG-370 - Add fine grained access control to rules engine (#402)

* update go mod file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix rules endpoint tests

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix yaml file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix build

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* address comments

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* remove roles from alarms

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* change approach for schema combaine

Signed-off-by: Arvindh <arvindh91@gmail.com>

* change approach for schema combaine

Signed-off-by: Arvindh <arvindh91@gmail.com>

* fix permissions for rules

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix authorization file

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

* fix linter

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>

---------

Signed-off-by: nyagamunene <stevenyaga2014@gmail.com>
Signed-off-by: Arvindh <arvindh91@gmail.com>
Co-authored-by: Arvindh <arvindh91@gmail.com>

docker/.env

@@ -85,11 +85,14 @@ SMQ_SPICEDB_DB_PORT=5432
 
 ### SpiceDB config
 SMQ_SPICEDB_PRE_SHARED_KEY="12345678"
-SMQ_SPICEDB_SCHEMA_FILE="/schema.zed"
+SMQ_SPICEDB_SCHEMA_FILE="/schemas/combined-schema.zed"
 SMQ_SPICEDB_HOST=supermq-spicedb
 SMQ_SPICEDB_PORT=50051
 SMQ_SPICEDB_DATASTORE_ENGINE=postgres
 
+### Permissions
+SMQ_PERMISSIONS_FILE=/schemas/permission.yaml
+
 ### UI
 SMQ_UI_PATH_PREFIX=/ui
 

docker/docker-compose.yaml

@@ -253,6 +253,7 @@ services:
     container_name: magistrala-re
     depends_on:
       - re-db
+      - spicedb-migrate
     restart: on-failure
     environment:
       MG_RE_LOG_LEVEL: ${MG_RE_LOG_LEVEL}
@@ -290,6 +291,8 @@ services:
       SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
       SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
       SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
       MG_RE_INSTANCE_ID: ${MG_RE_INSTANCE_ID}
       MG_EMAIL_HOST: ${MG_EMAIL_HOST}
       MG_EMAIL_PORT: ${MG_EMAIL_PORT}
@@ -314,6 +317,8 @@ services:
     networks:
       - magistrala-base-net
     volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
       - ./templates/${MG_RE_EMAIL_TEMPLATE}:/email.tmpl
       # Auth gRPC client certificates
       - type: bind
@@ -353,6 +358,7 @@ services:
     container_name: magistrala-alarms
     depends_on:
       - alarms-db
+      - spicedb-migrate
     restart: on-failure
     environment:
       MG_ALARMS_LOG_LEVEL: ${MG_ALARMS_LOG_LEVEL}
@@ -382,6 +388,11 @@ services:
       SMQ_DOMAINS_GRPC_CLIENT_CERT: ${SMQ_DOMAINS_GRPC_CLIENT_CERT:+/domains-grpc-client.crt}
       SMQ_DOMAINS_GRPC_CLIENT_KEY: ${SMQ_DOMAINS_GRPC_CLIENT_KEY:+/domains-grpc-client.key}
       SMQ_DOMAINS_GRPC_SERVER_CA_CERTS: ${SMQ_DOMAINS_GRPC_SERVER_CA_CERTS:+/domains-grpc-server-ca.crt}
+      SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
+      SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
+      SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
       MG_ALARMS_INSTANCE_ID: ${MG_ALARMS_INSTANCE_ID}
       SMQ_ALLOW_UNVERIFIED_USER: ${SMQ_ALLOW_UNVERIFIED_USER}
     ports:
@@ -389,6 +400,8 @@ services:
     networks:
       - magistrala-base-net
     volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
       # Auth gRPC client certificates
       - type: bind
         source: ${SMQ_AUTH_GRPC_CLIENT_CERT:-ssl/certs/dummy/client_cert}
@@ -442,6 +455,7 @@ services:
     container_name: magistrala-reports
     depends_on:
       - reports-db
+      - spicedb-migrate
     restart: on-failure
     environment:
       MG_REPORTS_LOG_LEVEL: ${MG_REPORTS_LOG_LEVEL}
@@ -472,6 +486,8 @@ services:
       SMQ_SPICEDB_PRE_SHARED_KEY: ${SMQ_SPICEDB_PRE_SHARED_KEY}
       SMQ_SPICEDB_HOST: ${SMQ_SPICEDB_HOST}
       SMQ_SPICEDB_PORT: ${SMQ_SPICEDB_PORT}
+      SMQ_SPICEDB_SCHEMA_FILE: ${SMQ_SPICEDB_SCHEMA_FILE}
+      SMQ_PERMISSIONS_FILE: ${SMQ_PERMISSIONS_FILE}
       MG_REPORTS_INSTANCE_ID: ${MG_RE_INSTANCE_ID}
       MG_EMAIL_HOST: ${MG_EMAIL_HOST}
       MG_EMAIL_PORT: ${MG_EMAIL_PORT}
@@ -496,6 +512,8 @@ services:
     networks:
       - magistrala-base-net
     volumes:
+      - ./permission.yaml:${SMQ_PERMISSIONS_FILE}
+      - ./spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
       - ./templates/${MG_REPORTS_EMAIL_TEMPLATE}:/email.tmpl
       # Auth gRPC client certificates
       - type: bind

docker/permission.yaml

@@ -0,0 +1,71 @@
+# Copyright (c) Abstract Machines
+# SPDX-License-Identifier: Apache-2.0
+
+alarm:
+  operations:
+    - add: alarm_create_permission
+    - list: alarm_read_permission
+    - view: read_permission
+    - update: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+
+rule:
+  operations:
+    - add: rule_create_permission
+    - list: rule_read_permission
+    - view: read_permission
+    - update: update_permission
+    - update_tags: update_permission
+    - update_schedule: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission
+
+report:
+  operations:
+    - add: report_create_permission
+    - list: report_read_permission
+    - generate: report_create_permission
+    - view: read_permission
+    - update: update_permission
+    - update_schedule: update_permission
+    - enable: update_permission
+    - disable: update_permission
+    - delete: delete_permission
+    - update_template: update_permission
+    - view_template: read_permission
+    - delete_template: delete_permission
+  roles_operations:
+    - add: manage_role_permission
+    - remove: manage_role_permission
+    - update: manage_role_permission
+    - retrieve: view_role_users_permission
+    - retrieve_all: view_role_users_permission
+    - add_actions: manage_role_permission
+    - list_actions: view_role_users_permission
+    - check_actions_exists: view_role_users_permission
+    - remove_actions: manage_role_permission
+    - remove_all_actions: manage_role_permission
+    - add_members: add_role_users_permission
+    - list_members: view_role_users_permission
+    - check_members_exists: view_role_users_permission
+    - remove_members: remove_role_users_permission
+    - remove_all_members: remove_role_users_permission

docker/spicedb/combined-schema.zed

@@ -0,0 +1,706 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+// Code generated by scripts/combine-schema.sh. DO NOT EDIT.
+//
+// Combined from:
+// - docker/supermq-docker/spicedb/schema.zed
+// - docker/spicedb/override-schema.zed
+
+definition user {}
+
+
+definition role {
+	relation entity: domain | group | channel | client
+	relation member: user
+	relation built_in_role: domain | group | channel | client
+
+	permission delete = entity->manage_role_permission - built_in_role->manage_role_permission
+	permission update = entity->manage_role_permission - built_in_role->manage_role_permission
+	permission read = entity->manage_role_permission - built_in_role->manage_role_permission
+
+	permission add_user = entity->add_role_users_permission
+	permission remove_user = entity->remove_role_users_permission
+	permission view_user = entity->view_role_users_permission
+}
+
+definition client {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation delete: role#member
+	relation set_parent_group: role#member
+	relation connect_to_channel: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	permission update_permission = update + parent_group->client_update_permission + domain->client_update_permission
+	permission read_permission = read + parent_group->client_read_permission + domain->client_read_permission
+	permission delete_permission = delete + parent_group->client_delete_permission + domain->client_delete_permission
+	permission set_parent_group_permission = set_parent_group + parent_group->client_set_parent_group_permission + domain->client_set_parent_group_permission
+	permission connect_to_channel_permission  =  connect_to_channel + parent_group->client_connect_to_channel_permission + domain->client_connect_to_channel_permission
+
+	permission manage_role_permission = manage_role + parent_group->client_manage_role_permission + domain->client_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->client_add_role_users_permission + domain->client_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->client_remove_role_users_permission + domain->client_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->client_view_role_users_permission + domain->client_view_role_users_permission
+}
+
+definition channel {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation delete: role#member
+	relation set_parent_group: role#member
+	relation connect_to_client: role#member
+	relation publish: role#member | client
+	relation subscribe: role#member | client
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	permission update_permission = update + parent_group->channel_update_permission + domain->channel_update_permission
+	permission read_permission = read + parent_group->channel_read_permission + domain->channel_read_permission
+	permission delete_permission = delete + parent_group->channel_delete_permission + domain->channel_delete_permission
+	permission set_parent_group_permission = set_parent_group + parent_group->channel_set_parent_group_permission + domain->channel_set_parent_group_permission
+	permission connect_to_client_permission = connect_to_client + parent_group->channel_connect_to_client_permission + domain->channel_connect_to_client_permission
+	permission publish_permission = publish + parent_group->channel_publish_permission + domain->channel_publish_permission
+	permission subscribe_permission = subscribe + parent_group->channel_subscribe_permission + domain->channel_subscribe_permission
+
+	permission manage_role_permission = manage_role + parent_group->channel_manage_role_permission + domain->channel_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->channel_add_role_users_permission + domain->channel_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->channel_remove_role_users_permission + domain->channel_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->channel_view_role_users_permission + domain->channel_view_role_users_permission
+}
+
+definition group {
+	relation domain: domain // This can't be clubbed with parent_group, but if parent_group is unassigned then we could not track belongs to which domain, so it is safe to add domain
+	relation parent_group: group
+
+	relation update: role#member
+	relation read: role#member
+	relation membership: role#member
+	relation delete: role#member
+	relation set_child: role#member
+	relation set_parent: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation client_create: role#member
+	relation channel_create: role#member
+	// this allows to add parent for group during the new group creation
+	relation subgroup_create: role#member
+	relation subgroup_client_create: role#member
+	relation subgroup_channel_create: role#member
+
+	relation client_update: role#member
+	relation client_read: role#member
+	relation client_delete: role#member
+	relation client_set_parent_group: role#member
+	relation client_connect_to_channel: role#member
+
+	relation client_manage_role: role#member
+	relation client_add_role_users: role#member
+	relation client_remove_role_users: role#member
+	relation client_view_role_users: role#member
+
+	relation channel_update: role#member
+	relation channel_read: role#member
+	relation channel_delete: role#member
+	relation channel_set_parent_group: role#member
+	relation channel_connect_to_client: role#member
+	relation channel_publish: role#member
+	relation channel_subscribe: role#member
+
+	relation channel_manage_role: role#member
+	relation channel_add_role_users: role#member
+	relation channel_remove_role_users: role#member
+	relation channel_view_role_users: role#member
+
+	relation subgroup_update: role#member
+	relation subgroup_read: role#member
+	relation subgroup_membership: role#member
+	relation subgroup_delete: role#member
+	relation subgroup_set_child: role#member
+	relation subgroup_set_parent: role#member
+
+	relation subgroup_manage_role: role#member
+	relation subgroup_add_role_users: role#member
+	relation subgroup_remove_role_users: role#member
+	relation subgroup_view_role_users: role#member
+
+	relation subgroup_client_update: role#member
+	relation subgroup_client_read: role#member
+	relation subgroup_client_delete: role#member
+	relation subgroup_client_set_parent_group: role#member
+	relation subgroup_client_connect_to_channel: role#member
+
+	relation subgroup_client_manage_role: role#member
+	relation subgroup_client_add_role_users: role#member
+	relation subgroup_client_remove_role_users: role#member
+	relation subgroup_client_view_role_users: role#member
+
+	relation subgroup_channel_update: role#member
+	relation subgroup_channel_read: role#member
+	relation subgroup_channel_delete: role#member
+	relation subgroup_channel_set_parent_group: role#member
+	relation subgroup_channel_connect_to_client: role#member
+	relation subgroup_channel_publish: role#member
+	relation subgroup_channel_subscribe: role#member
+
+	relation subgroup_channel_manage_role: role#member
+	relation subgroup_channel_add_role_users: role#member
+	relation subgroup_channel_remove_role_users: role#member
+	relation subgroup_channel_view_role_users: role#member
+
+	// Subgroup permission
+	permission subgroup_create_permission = subgroup_create + parent_group->subgroup_create_permission
+	permission subgroup_client_create_permission = subgroup_client_create + parent_group->subgroup_client_create_permission
+	permission subgroup_channel_create_permission = subgroup_channel_create + parent_group->subgroup_channel_create_permission
+
+	permission subgroup_update_permission = subgroup_update + parent_group->subgroup_update_permission
+	permission subgroup_membership_permission = subgroup_membership + parent_group->subgroup_membership_permission
+	permission subgroup_read_permission = subgroup_read + parent_group->subgroup_read_permission
+	permission subgroup_delete_permission = subgroup_delete + parent_group->subgroup_delete_permission
+	permission subgroup_set_child_permission = subgroup_set_child + parent_group->subgroup_set_child_permission
+	permission subgroup_set_parent_permission = subgroup_set_parent + parent_group->subgroup_set_parent_permission
+
+	permission subgroup_manage_role_permission = subgroup_manage_role + parent_group->subgroup_manage_role_permission
+	permission subgroup_add_role_users_permission = subgroup_add_role_users + parent_group->subgroup_add_role_users_permission
+	permission subgroup_remove_role_users_permission = subgroup_remove_role_users + parent_group->subgroup_remove_role_users_permission
+	permission subgroup_view_role_users_permission = subgroup_view_role_users + parent_group->subgroup_view_role_users_permission
+
+	// Group permission
+	permission update_permission = update + parent_group->subgroup_create_permission + domain->group_update_permission
+	permission membership_permission = membership + parent_group->subgroup_membership_permission + domain->group_membership_permission
+	permission read_permission = read + parent_group->subgroup_read_permission + domain->group_read_permission
+	permission delete_permission = delete + parent_group->subgroup_delete_permission + domain->group_delete_permission
+	permission set_child_permission =	set_child + parent_group->subgroup_set_child_permission + domain->group_set_child_permission
+	permission set_parent_permission = set_parent + parent_group->subgroup_set_parent_permission + domain->group_set_parent_permission
+
+	permission manage_role_permission = manage_role + parent_group->subgroup_manage_role_permission + domain->group_manage_role_permission
+	permission add_role_users_permission = add_role_users + parent_group->subgroup_add_role_users_permission + domain->group_add_role_users_permission
+	permission remove_role_users_permission = remove_role_users + parent_group->subgroup_remove_role_users_permission + domain->group_remove_role_users_permission
+	permission view_role_users_permission = view_role_users + parent_group->subgroup_view_role_users_permission + domain->group_view_role_users_permission
+
+	// Subgroup clients permission
+	permission subgroup_client_update_permission = subgroup_client_update + parent_group->subgroup_client_update_permission
+	permission subgroup_client_read_permission = subgroup_client_read + parent_group->subgroup_client_read_permission
+	permission subgroup_client_delete_permission = subgroup_client_delete + parent_group->subgroup_client_delete_permission
+	permission subgroup_client_set_parent_group_permission = subgroup_client_set_parent_group + parent_group->subgroup_client_set_parent_group_permission
+	permission subgroup_client_connect_to_channel_permission = subgroup_client_connect_to_channel + parent_group->subgroup_client_connect_to_channel_permission
+
+	permission subgroup_client_manage_role_permission = subgroup_client_manage_role + parent_group->subgroup_client_manage_role_permission
+	permission subgroup_client_add_role_users_permission = subgroup_client_add_role_users + parent_group->subgroup_client_add_role_users_permission
+	permission subgroup_client_remove_role_users_permission = subgroup_client_remove_role_users + parent_group->subgroup_client_remove_role_users_permission
+	permission subgroup_client_view_role_users_permission = subgroup_client_view_role_users + parent_group->subgroup_client_view_role_users_permission
+
+	// Group clients permission
+	permission client_create_permission = client_create + parent_group->subgroup_client_create_permission + domain->client_create_permission
+	permission client_update_permission = client_update + parent_group->subgroup_client_update_permission + domain->client_update_permission
+	permission client_read_permission = client_read + parent_group->subgroup_client_read_permission + domain->client_read_permission
+	permission client_delete_permission = client_delete + parent_group->subgroup_client_delete_permission + domain->client_delete_permission
+	permission client_set_parent_group_permission = client_set_parent_group + parent_group->subgroup_client_set_parent_group_permission + domain->client_set_parent_group_permission
+	permission client_connect_to_channel_permission = client_connect_to_channel + parent_group->subgroup_client_connect_to_channel_permission + domain->client_connect_to_channel_permission
+
+	permission client_manage_role_permission = client_manage_role + parent_group->subgroup_client_manage_role_permission + domain->client_manage_role_permission
+	permission client_add_role_users_permission = client_add_role_users + parent_group->subgroup_client_add_role_users_permission + domain->client_add_role_users_permission
+	permission client_remove_role_users_permission = client_remove_role_users + parent_group->subgroup_client_remove_role_users_permission + domain->client_remove_role_users_permission
+	permission client_view_role_users_permission = client_view_role_users + parent_group->subgroup_client_view_role_users_permission + domain->client_view_role_users_permission
+
+	// Subgroup channels permission
+	permission subgroup_channel_update_permission = subgroup_channel_update + parent_group->subgroup_channel_update_permission
+	permission subgroup_channel_read_permission = subgroup_channel_read + parent_group->subgroup_channel_read_permission
+	permission subgroup_channel_delete_permission =  subgroup_channel_delete + parent_group->subgroup_channel_delete_permission
+	permission subgroup_channel_set_parent_group_permission = subgroup_channel_set_parent_group + parent_group->subgroup_channel_set_parent_group_permission
+	permission subgroup_channel_connect_to_client_permission = subgroup_channel_connect_to_client + parent_group->subgroup_channel_connect_to_client_permission
+	permission subgroup_channel_publish_permission = subgroup_channel_publish + parent_group->subgroup_channel_publish_permission
+	permission subgroup_channel_subscribe_permission = subgroup_channel_subscribe + parent_group->subgroup_channel_subscribe_permission
+
+	permission subgroup_channel_manage_role_permission = subgroup_channel_manage_role + parent_group->subgroup_channel_manage_role_permission
+	permission subgroup_channel_add_role_users_permission = subgroup_channel_add_role_users + parent_group->subgroup_channel_add_role_users_permission
+	permission subgroup_channel_remove_role_users_permission = subgroup_channel_remove_role_users + parent_group->subgroup_channel_remove_role_users_permission
+	permission subgroup_channel_view_role_users_permission = subgroup_channel_view_role_users + parent_group->subgroup_channel_view_role_users_permission
+
+	// Group channels permission
+	permission channel_create_permission = channel_create + parent_group->subgroup_channel_create_permission + domain->channel_create_permission
+	permission channel_update_permission = channel_update + parent_group->subgroup_channel_update_permission + domain->channel_update_permission
+	permission channel_read_permission = channel_read + parent_group->subgroup_channel_read_permission + domain->channel_read_permission
+	permission channel_delete_permission = channel_delete + parent_group->subgroup_channel_delete_permission + domain->channel_delete_permission
+	permission channel_set_parent_group_permission = channel_set_parent_group + parent_group->subgroup_channel_set_parent_group_permission + domain->channel_set_parent_group_permission
+	permission channel_connect_to_client_permission = channel_connect_to_client + parent_group->subgroup_channel_connect_to_client_permission + domain->channel_connect_to_client_permission
+	permission channel_publish_permission = channel_publish + parent_group->subgroup_channel_publish_permission + domain->channel_publish_permission
+	permission channel_subscribe_permission = channel_subscribe + parent_group->subgroup_channel_subscribe_permission + domain->channel_subscribe_permission
+
+	permission channel_manage_role_permission = channel_manage_role + parent_group->channel_manage_role_permission + domain->channel_manage_role_permission
+	permission channel_add_role_users_permission = channel_add_role_users + parent_group->channel_add_role_users_permission + domain->channel_add_role_users_permission
+	permission channel_remove_role_users_permission = channel_remove_role_users + parent_group->channel_remove_role_users_permission + domain->channel_remove_role_users_permission
+	permission channel_view_role_users_permission = channel_view_role_users + parent_group->channel_view_role_users_permission + domain->channel_view_role_users_permission
+
+
+}
+
+definition domain {
+	//Replace platform with organization in future
+	relation organization: platform
+	relation team: team
+
+	relation update: role#member | team#member
+	relation enable: role#member | team#member
+	relation disable: role#member | team#member
+	relation read: role#member | team#member
+	relation delete: role#member | team#member
+
+	relation manage_role: role#member | team#member
+	relation add_role_users: role#member | team#member
+	relation remove_role_users: role#member | team#member
+	relation view_role_users: role#member | team#member
+
+	relation client_create: role#member | team#member
+	relation channel_create: role#member | team#member
+	relation group_create: role#member | team#member
+
+	relation client_update: role#member | team#member
+	relation client_read: role#member | team#member
+	relation client_delete: role#member | team#member
+	relation client_set_parent_group: role#member | team#member
+	relation client_connect_to_channel: role#member | team#member
+
+	relation client_manage_role: role#member | team#member
+	relation client_add_role_users: role#member | team#member
+	relation client_remove_role_users: role#member | team#member
+	relation client_view_role_users: role#member | team#member
+
+	relation channel_update: role#member | team#member
+	relation channel_read: role#member | team#member
+	relation channel_delete: role#member | team#member
+	relation channel_set_parent_group: role#member | team#member
+	relation channel_connect_to_client: role#member | team#member
+	relation channel_publish: role#member | team#member
+	relation channel_subscribe: role#member | team#member
+
+	relation channel_manage_role: role#member | team#member
+	relation channel_add_role_users: role#member | team#member
+	relation channel_remove_role_users: role#member | team#member
+	relation channel_view_role_users: role#member | team#member
+
+	relation group_update: role#member | team#member
+	relation group_membership: role#member | team#member
+	relation group_read: role#member | team#member
+	relation group_delete: role#member | team#member
+	relation group_set_child: role#member | team#member
+	relation group_set_parent: role#member | team#member
+
+	relation group_manage_role: role#member | team#member
+	relation group_add_role_users: role#member | team#member
+	relation group_remove_role_users: role#member | team#member
+	relation group_view_role_users: role#member | team#member
+
+	// Magistrala-specific relations
+	relation alarm_create: role#member | team#member
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation alarm_manage_role: role#member | team#member
+	relation alarm_add_role_users: role#member | team#member
+	relation alarm_remove_role_users: role#member | team#member
+	relation alarm_view_role_users: role#member | team#member
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	permission update_permission = update + team->domain_update + organization->admin
+	permission read_permission = read + team->domain_read + organization->admin
+	permission enable_permission = enable + team->domain_update + organization->admin
+	permission disable_permission = disable + team->domain_update + organization->admin
+	permission delete_permission = delete + team->domain_delete + organization->admin
+
+	permission manage_role_permission = manage_role + team->domain_manage_role + organization->admin
+	permission add_role_users_permission = add_role_users + team->domain_add_role_users + organization->admin
+	permission remove_role_users_permission = remove_role_users + team->domain_remove_role_users + organization->admin
+	permission view_role_users_permission = view_role_users + team->domain_view_role_users + organization->admin
+
+	permission membership = read + update + enable + disable + delete +
+	manage_role + add_role_users + remove_role_users + view_role_users +
+	client_create + channel_create + group_create +
+	client_update + client_read + client_delete + client_set_parent_group + client_connect_to_channel +
+	client_manage_role + client_add_role_users + client_remove_role_users + client_view_role_users +
+	channel_update + channel_read + channel_delete + channel_set_parent_group + channel_connect_to_client + channel_publish + channel_subscribe +
+	channel_manage_role + channel_add_role_users + channel_remove_role_users + channel_view_role_users +
+	group_update + group_membership + group_read + group_delete + group_set_child + group_set_parent +
+	group_manage_role + group_add_role_users + group_remove_role_users + group_view_role_users +
+	alarm_create + alarm_update + alarm_read + alarm_delete + alarm_manage_role + alarm_add_role_users + alarm_remove_role_users + alarm_view_role_users + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users +
+	organization->admin
+
+	permission admin = (read & update & enable & disable & delete & manage_role & add_role_users & remove_role_users & view_role_users) + organization->admin
+
+	permission client_create_permission = client_create + team->client_create + organization->admin
+	permission channel_create_permission = channel_create + team->channel_create + organization->admin
+	permission group_create_permission = group_create + team->group_create + organization->admin
+
+	permission client_update_permission = client_update + team->client_update + organization->admin
+	permission client_read_permission = client_read + team->client_read + organization->admin
+	permission client_delete_permission = client_delete + team->client_delete + organization->admin
+	permission client_set_parent_group_permission = client_set_parent_group + team->client_set_parent_group + organization->admin
+	permission client_connect_to_channel_permission = client_connect_to_channel + team->client_connect_to_channel + organization->admin
+
+	permission client_manage_role_permission = client_manage_role + team->client_manage_role + organization->admin
+	permission client_add_role_users_permission = client_add_role_users + team->client_add_role_users + organization->admin
+	permission client_remove_role_users_permission = client_remove_role_users + team->client_remove_role_users + organization->admin
+	permission client_view_role_users_permission = client_view_role_users + team->client_view_role_users + organization->admin
+
+	permission channel_update_permission = channel_update + team->channel_update + organization->admin
+	permission channel_read_permission = channel_read + team->channel_read + organization->admin
+	permission channel_delete_permission = channel_delete + team->channel_delete + organization->admin
+	permission channel_set_parent_group_permission = channel_set_parent_group + team->channel_set_parent_group + organization->admin
+	permission channel_connect_to_client_permission = channel_connect_to_client + team->channel_connect_to_client + organization->admin
+	permission channel_publish_permission = channel_publish + team->channel_publish + organization->admin
+	permission channel_subscribe_permission = channel_subscribe + team->channel_subscribe + organization->admin
+
+	permission channel_manage_role_permission = channel_manage_role + team->channel_manage_role + organization->admin
+	permission channel_add_role_users_permission = channel_add_role_users + team->channel_add_role_users + organization->admin
+	permission channel_remove_role_users_permission = channel_remove_role_users + team->channel_remove_role_users + organization->admin
+	permission channel_view_role_users_permission = channel_view_role_users + team->channel_view_role_users + organization->admin
+
+	permission group_update_permission = group_update + team->group_update + organization->admin
+	permission group_membership_permission = group_membership + team->group_membership + organization->admin
+	permission group_read_permission = group_read + team->group_read + organization->admin
+	permission group_delete_permission = group_delete + team->group_delete + organization->admin
+	permission group_set_child_permission = group_set_child + team->group_set_child + organization->admin
+	permission group_set_parent_permission = group_set_parent + team->group_set_parent + organization->admin
+
+	permission group_manage_role_permission = group_manage_role + team->group_manage_role + organization->admin
+	permission group_add_role_users_permission = group_add_role_users + team->group_add_role_users + organization->admin
+	permission group_remove_role_users_permission = group_remove_role_users + team->group_remove_role_users + organization->admin
+	permission group_view_role_users_permission = group_view_role_users + team->group_view_role_users + organization->admin
+
+	// Magistrala-specific permissions
+	permission alarm_create_permission = alarm_create + team->alarm_create + organization->admin
+	permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
+	permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
+	permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
+	permission alarm_manage_role_permission = alarm_manage_role + team->alarm_manage_role + organization->admin
+	permission alarm_add_role_users_permission = alarm_add_role_users + team->alarm_add_role_users + organization->admin
+	permission alarm_remove_role_users_permission = alarm_remove_role_users + team->alarm_remove_role_users + organization->admin
+	permission alarm_view_role_users_permission = alarm_view_role_users + team->alarm_view_role_users + organization->admin
+	permission rule_create_permission = rule_create + team->rule_create + organization->admin
+	permission rule_update_permission = rule_update + team->rule_update + organization->admin
+	permission rule_read_permission = rule_read + team->rule_read + organization->admin
+	permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
+	permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
+	permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
+	permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
+	permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
+	permission report_create_permission = report_create + team->report_create + organization->admin
+	permission report_update_permission = report_update + team->report_update + organization->admin
+	permission report_read_permission = report_read + team->report_read + organization->admin
+	permission report_delete_permission = report_delete + team->report_delete + organization->admin
+	permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
+	permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
+	permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
+	permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
+
+}
+
+// Add this relation and permission in future while adding organization
+definition team {
+	relation organization: organization
+	relation parent_team: team
+
+	relation delete: role#member
+	relation enable: role#member | team#member
+	relation disable: role#member | team#member
+	relation update: role#member
+	relation read: role#member
+
+	relation set_parent: role#member
+	relation set_child: role#member
+
+	relation member: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation subteam_delete: role#member
+	relation subteam_update: role#member
+	relation subteam_read: role#member
+
+	relation subteam_member: role#member
+
+	relation subteam_set_child: role#member
+	relation subteam_set_parent: role#member
+
+	relation subteam_manage_role: role#member
+	relation subteam_add_role_users: role#member
+	relation subteam_remove_role_users: role#member
+	relation subteam_view_role_users: role#member
+
+    // Domain related permission
+
+	relation domain_update: role#member | team#member
+	relation domain_read: role#member | team#member
+	relation domain_membership: role#member | team#member
+	relation domain_delete: role#member | team#member
+
+	relation domain_manage_role: role#member | team#member
+	relation domain_add_role_users: role#member | team#member
+	relation domain_remove_role_users: role#member | team#member
+	relation domain_view_role_users: role#member | team#member
+
+	relation client_create: role#member | team#member
+	relation channel_create: role#member | team#member
+	relation group_create: role#member | team#member
+
+	relation client_update: role#member | team#member
+	relation client_read: role#member | team#member
+	relation client_delete: role#member | team#member
+	relation client_set_parent_group: role#member | team#member
+	relation client_connect_to_channel: role#member | team#member
+
+	relation client_manage_role: role#member | team#member
+	relation client_add_role_users: role#member | team#member
+	relation client_remove_role_users: role#member | team#member
+	relation client_view_role_users: role#member | team#member
+
+	relation channel_update: role#member | team#member
+	relation channel_read: role#member | team#member
+	relation channel_delete: role#member | team#member
+	relation channel_set_parent_group: role#member | team#member
+	relation channel_connect_to_client: role#member | team#member
+	relation channel_publish: role#member | team#member
+	relation channel_subscribe: role#member | team#member
+
+	relation channel_manage_role: role#member | team#member
+	relation channel_add_role_users: role#member | team#member
+	relation channel_remove_role_users: role#member | team#member
+	relation channel_view_role_users: role#member | team#member
+
+	relation group_update: role#member | team#member
+	relation group_membership: role#member | team#member
+	relation group_read: role#member | team#member
+	relation group_delete: role#member | team#member
+	relation group_set_child: role#member | team#member
+	relation group_set_parent: role#member | team#member
+
+	relation group_manage_role: role#member | team#member
+	relation group_add_role_users: role#member | team#member
+	relation group_remove_role_users: role#member | team#member
+	relation group_view_role_users: role#member | team#member
+
+	// Magistrala-specific relations
+	relation alarm_create: role#member | team#member
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation alarm_manage_role: role#member | team#member
+	relation alarm_add_role_users: role#member | team#member
+	relation alarm_remove_role_users: role#member | team#member
+	relation alarm_view_role_users: role#member | team#member
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	permission delete_permission = delete + organization->team_delete + parent_team->subteam_delete + organization->admin
+	permission update_permission = update + organization->team_update + parent_team->subteam_update + organization->admin
+	permission read_permission = read + organization->team_read + parent_team->subteam_read + organization->admin
+
+	permission set_parent_permission = set_parent + organization->team_set_parent + parent_team->subteam_set_parent + organization->admin
+	permission set_child_permisssion = set_child + organization->team_set_child + parent_team->subteam_set_child + organization->admin
+
+    permission membership = member + organization->team_member + parent_team->subteam_member + organization->admin
+
+	permission manage_role_permission = manage_role + organization->team_manage_role + parent_team->subteam_manage_role + organization->admin
+	permission add_role_users_permission = add_role_users + organization->team_add_role_users + parent_team->subteam_add_role_users + organization->admin
+	permission remove_role_users_permission = remove_role_users + organization->team_remove_role_users + parent_team->subteam_remove_role_users + organization->admin
+	permission view_role_users_permission = view_role_users + organization->team_view_role_users + parent_team->subteam_view_role_users + organization->admin
+}
+
+
+definition organization {
+	relation platform: platform
+	relation administrator: user
+
+	relation delete: role#member
+	relation update: role#member
+	relation read: role#member
+
+	relation member: role#member
+
+	relation manage_role: role#member
+	relation add_role_users: role#member
+	relation remove_role_users: role#member
+	relation view_role_users: role#member
+
+	relation team_create: role#member
+
+	relation team_delete: role#member
+	relation team_update: role#member
+	relation team_read: role#member
+
+	relation team_member: role#member  // Will be member of all the teams in the organization
+
+	relation team_set_child: role#member
+	relation team_set_parent: role#member
+
+	relation team_manage_role: role#member
+	relation team_add_role_users: role#member
+	relation team_remove_role_users: role#member
+	relation team_view_role_users: role#member
+
+	permission admin = administrator + platform->administrator
+	permission delete_permission = admin + delete->member
+	permission update_permission = admin + update->member
+	permission read_permission = admin + read->member
+
+	permission membership = admin + member->member
+
+	permission team_create_permission = admin + team_create->member
+
+	permission manage_role_permission = admin + manage_role
+	permission add_role_users_permisson = admin + add_role_users
+	permission remove_role_users_permission = admin + remove_role_users
+	permission view_role_users_permission = admin + view_role_users
+}
+
+
+definition platform {
+  relation administrator: user
+  relation member: user
+
+  permission admin = administrator
+  permission membership = administrator + member
+}
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Merge documentation
+// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
+// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
+// - Merge script: scripts/combined-schema.sh
+// - Output: docker/spicedb/combined-schema.zed
+//
+// How merge works:
+// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
+// 2. The first `definition team { ... }` block is treated as explicit team overlay.
+// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
+// 4. Team overlay relations are injected into SuperMQ `definition team`.
+// 5. `permission membership_extension = ...` from the domain overlay is injected into
+//    SuperMQ `domain.permission membership` before `organization->admin`.
+// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
+//    so only merged SuperMQ domain/team definitions remain.
+// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
+//
+// Maintenance notes:
+// - Keep all custom domain/team merge lines inside the two overlay blocks below.
+// - Update `permission membership_extension` whenever domain membership additions change.
+// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
+// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
+
+// Overlay domain block consumed by scripts/combine-schema.sh during merge.
+
+// Overlay team block consumed by scripts/combine-schema.sh during merge.
+
+definition alarm {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->alarm_update_permission
+permission read_permission = read + domain->alarm_read_permission
+permission delete_permission = delete + domain->alarm_delete_permission
+
+permission manage_role_permission = manage_role + domain->alarm_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->alarm_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->alarm_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->alarm_view_role_users_permission
+}
+
+definition rule {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->rule_update_permission
+permission read_permission = read + domain->rule_read_permission
+permission delete_permission = delete + domain->rule_delete_permission
+
+permission manage_role_permission = manage_role + domain->rule_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
+}
+
+definition report {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->report_update_permission
+permission read_permission = read + domain->report_read_permission
+permission delete_permission = delete + domain->report_delete_permission
+
+permission manage_role_permission = manage_role + domain->report_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
+}

docker/spicedb/override-schema.zed

@@ -0,0 +1,187 @@
+// Copyright (c) Abstract Machines
+// SPDX-License-Identifier: Apache-2.0
+
+// Merge documentation
+// - Source A (base): docker/supermq-docker/spicedb/schema.zed (SuperMQ upstream schema)
+// - Source B (overlay): docker/spicedb/override-schema.zed (Magistrala schema extensions)
+// - Merge script: scripts/combined-schema.sh
+// - Output: docker/spicedb/combined-schema.zed
+//
+// How merge works:
+// 1. The first `definition domain { ... }` block is treated as explicit domain overlay.
+// 2. The first `definition team { ... }` block is treated as explicit team overlay.
+// 3. Domain overlay relations/permissions are injected into SuperMQ `definition domain`.
+// 4. Team overlay relations are injected into SuperMQ `definition team`.
+// 5. `permission membership_extension = ...` from the domain overlay is injected into
+//    SuperMQ `domain.permission membership` before `organization->admin`.
+// 6. Overlay `definition domain` and `definition team` blocks are removed before append,
+//    so only merged SuperMQ domain/team definitions remain.
+// 7. Remaining definitions in this file (for example `alarm`, `rule`, `report`) are appended.
+//
+// Maintenance notes:
+// - Keep all custom domain/team merge lines inside the two overlay blocks below.
+// - Update `permission membership_extension` whenever domain membership additions change.
+// - Regenerate combined schema with: `sh scripts/combine-schema.sh`
+// - `scripts/supermq.sh` also regenerates combined schema after refreshing SuperMQ docker files.
+
+// Overlay domain block consumed by scripts/combine-schema.sh during merge.
+definition domain {
+
+	// Magistrala-specific relations
+	relation alarm_create: role#member | team#member
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation alarm_manage_role: role#member | team#member
+	relation alarm_add_role_users: role#member | team#member
+	relation alarm_remove_role_users: role#member | team#member
+	relation alarm_view_role_users: role#member | team#member
+
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+	// Magistrala-specific permissions
+	permission alarm_create_permission = alarm_create + team->alarm_create + organization->admin
+	permission alarm_update_permission = alarm_update + team->alarm_update + organization->admin
+	permission alarm_read_permission = alarm_read + team->alarm_read + organization->admin
+	permission alarm_delete_permission = alarm_delete + team->alarm_delete + organization->admin
+	permission alarm_manage_role_permission = alarm_manage_role + team->alarm_manage_role + organization->admin
+	permission alarm_add_role_users_permission = alarm_add_role_users + team->alarm_add_role_users + organization->admin
+	permission alarm_remove_role_users_permission = alarm_remove_role_users + team->alarm_remove_role_users + organization->admin
+	permission alarm_view_role_users_permission = alarm_view_role_users + team->alarm_view_role_users + organization->admin
+
+	permission rule_create_permission = rule_create + team->rule_create + organization->admin
+	permission rule_update_permission = rule_update + team->rule_update + organization->admin
+	permission rule_read_permission = rule_read + team->rule_read + organization->admin
+	permission rule_delete_permission = rule_delete + team->rule_delete + organization->admin
+	permission rule_manage_role_permission = rule_manage_role + team->rule_manage_role + organization->admin
+	permission rule_add_role_users_permission = rule_add_role_users + team->rule_add_role_users + organization->admin
+	permission rule_remove_role_users_permission = rule_remove_role_users + team->rule_remove_role_users + organization->admin
+	permission rule_view_role_users_permission = rule_view_role_users + team->rule_view_role_users + organization->admin
+
+	permission report_create_permission = report_create + team->report_create + organization->admin
+	permission report_update_permission = report_update + team->report_update + organization->admin
+	permission report_read_permission = report_read + team->report_read + organization->admin
+	permission report_delete_permission = report_delete + team->report_delete + organization->admin
+	permission report_manage_role_permission = report_manage_role + team->report_manage_role + organization->admin
+	permission report_add_role_users_permission = report_add_role_users + team->report_add_role_users + organization->admin
+	permission report_remove_role_users_permission = report_remove_role_users + team->report_remove_role_users + organization->admin
+	permission report_view_role_users_permission = report_view_role_users + team->report_view_role_users + organization->admin
+
+	// Explicit extension injected into SuperMQ domain `permission membership`.
+	permission membership_extension = alarm_create + alarm_update + alarm_read + alarm_delete + alarm_manage_role + alarm_add_role_users + alarm_remove_role_users + alarm_view_role_users + rule_create + rule_update + rule_read + rule_delete + rule_manage_role + rule_add_role_users + rule_remove_role_users + rule_view_role_users + report_create + report_update + report_read + report_delete + report_manage_role + report_add_role_users + report_remove_role_users + report_view_role_users
+
+}
+
+// Overlay team block consumed by scripts/combine-schema.sh during merge.
+definition team {
+
+	relation alarm_create: role#member | team#member
+	relation alarm_update: role#member | team#member
+	relation alarm_read: role#member | team#member
+	relation alarm_delete: role#member | team#member
+	relation alarm_manage_role: role#member | team#member
+	relation alarm_add_role_users: role#member | team#member
+	relation alarm_remove_role_users: role#member | team#member
+	relation alarm_view_role_users: role#member | team#member
+
+	relation rule_create: role#member | team#member
+	relation rule_update: role#member | team#member
+	relation rule_read: role#member | team#member
+	relation rule_delete: role#member | team#member
+	relation rule_manage_role: role#member | team#member
+	relation rule_add_role_users: role#member | team#member
+	relation rule_remove_role_users: role#member | team#member
+	relation rule_view_role_users: role#member | team#member
+
+	relation report_create: role#member | team#member
+	relation report_update: role#member | team#member
+	relation report_read: role#member | team#member
+	relation report_delete: role#member | team#member
+	relation report_manage_role: role#member | team#member
+	relation report_add_role_users: role#member | team#member
+	relation report_remove_role_users: role#member | team#member
+	relation report_view_role_users: role#member | team#member
+
+}
+
+definition alarm {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->alarm_update_permission
+permission read_permission = read + domain->alarm_read_permission
+permission delete_permission = delete + domain->alarm_delete_permission
+
+permission manage_role_permission = manage_role + domain->alarm_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->alarm_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->alarm_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->alarm_view_role_users_permission
+}
+
+definition rule {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->rule_update_permission
+permission read_permission = read + domain->rule_read_permission
+permission delete_permission = delete + domain->rule_delete_permission
+
+permission manage_role_permission = manage_role + domain->rule_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->rule_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->rule_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->rule_view_role_users_permission
+}
+
+definition report {
+relation domain: domain
+
+relation update: role#member
+relation read: role#member
+relation delete: role#member
+
+relation manage_role: role#member
+relation add_role_users: role#member
+relation remove_role_users: role#member
+relation view_role_users: role#member
+
+permission update_permission = update + domain->report_update_permission
+permission read_permission = read + domain->report_read_permission
+permission delete_permission = delete + domain->report_delete_permission
+
+permission manage_role_permission = manage_role + domain->report_manage_role_permission
+permission add_role_users_permission = add_role_users + domain->report_add_role_users_permission
+permission remove_role_users_permission = remove_role_users + domain->report_remove_role_users_permission
+permission view_role_users_permission = view_role_users + domain->report_view_role_users_permission
+}

docker/supermq-docker-compose.override.yaml

@@ -2,9 +2,12 @@
 # SPDX-License-Identifier: Apache-2.0
 
 services:
+
   spicedb:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   spicedb-migrate:
     networks: !override
@@ -17,7 +20,8 @@ services:
   auth-db:
     networks: !override
       - magistrala-base-net
-
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
   auth-redis:
     networks: !override
       - magistrala-base-net
@@ -25,6 +29,8 @@ services:
   auth:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   domains-db:
     networks: !override
@@ -37,6 +43,8 @@ services:
   domains:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   clients-db:
     networks: !override
@@ -49,6 +57,8 @@ services:
   clients:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   channels-redis:
     networks: !override
@@ -61,6 +71,8 @@ services:
   channels:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   users-db:
     networks: !override
@@ -77,6 +89,8 @@ services:
   groups:
     networks: !override
       - magistrala-base-net
+    volumes:
+      - ../spicedb/combined-schema.zed:${SMQ_SPICEDB_SCHEMA_FILE}
 
   jaeger:
     networks: !override
@@ -170,10 +184,10 @@ services:
       AM_CERTS_OPENBAO_UNSEAL_KEY_2: ${AM_CERTS_OPENBAO_UNSEAL_KEY_2}
       AM_CERTS_OPENBAO_UNSEAL_KEY_3: ${AM_CERTS_OPENBAO_UNSEAL_KEY_3}
       AM_CERTS_OPENBAO_ROOT_TOKEN: ${AM_CERTS_OPENBAO_ROOT_TOKEN}
-      
+
       AM_JAEGER_URL: ${AM_JAEGER_URL}
       AM_JAEGER_TRACE_RATIO: ${AM_JAEGER_TRACE_RATIO}
-      
+
       AM_AUTH_GRPC_URL: ${AM_AUTH_GRPC_URL}
       AM_AUTH_GRPC_TIMEOUT: ${AM_AUTH_GRPC_TIMEOUT}
       AM_AUTH_GRPC_CLIENT_CERT: ${AM_AUTH_GRPC_CLIENT_CERT}
@@ -209,3 +223,5 @@ services:
     env_file: !override
       - ./.env
       - ../../docker/.env
+
+