Inheritance

Relations inherit hierarchically within a namespace:

owner ⊇ editor ⊇ viewer

If alice is owner of document:42, then checking editor or viewer for alice on document 42 also returns true.

Inheritance is static and defined by the namespace configuration, not per-tuple. It is one of Pore’s load-bearing invariants: if is_authorized(s, r1, o) and r1 ⊇ r2, then is_authorized(s, r2, o).

Why inheritance, not granting each relation

Granting only the highest relation keeps your grant graph small and the revocation story simple. Revoking owner removes editor and viewer implicitly — no second revoke call needed.

The member relation

member sits outside the owner/editor/viewer hierarchy. It is reserved for group membership:

(user:alice, member, team:engineering)

This says alice is a member of the engineering team. Group membership is resolved at check time via group expansion, which is always one level deep.