Superusers

Learn how to use policies to create superuser overrides.

Superuser policies allow specific users to override inheritance rules to grant broad access to many resources. This is useful for granting elevated privileges to trusted users, such as administrators, support engineers, or internal employees.

When to use?

Use superuser policies when you need to:

Provide emergency access to a resource without modifying existing permissions.

Allow internal employees to manage resources without explicitly assigning them to each one.

Implement organization-wide administrative roles that apply across multiple resources.

Example Applications

Many applications implement superuser policies, including:

E-commerce platforms: Store administrators or support agents need access to all stores for troubleshooting.

Multi-tenant SaaS applications: Internal employees may need to access any tenant’s data for support purposes.

Content management systems: Superusers may need the ability to edit or review content across multiple projects.

Example Schema

 version 0.3

type user

type store
  relation editor [user]
  relation viewer [user]

  // Editors of a store are either
  //   Assigned directly as an editor of the store
  //   Or superusers who can edit any store (via is_superuser policy)
  inherit editor if
      policy is_superuser

  // Any editor can also view the store
  inherit viewer if
    relation editor

policy is_superuser(user map) {
  user.superuser == true &&
    user.email endsWith "@internal-domain.com"
}