Resource creation authorization

When implementing authorization, you face a classic "chicken-and-egg" dilemma: how do you authorize users to create new resources when authorization typically depends on permissions that are granted after those resources exist?

How you should resolve this depends on the hierarchy of the resources in your policy.

Root-level resources (`User`, `Organization`)

In most Polar policies, there exists a root-level resource that usually takes one of two forms:

For multi-tenant SaaS applications: resource Organization
For consumer applications: actor User

In both of these cases, all other resources are represented in relationship to the root-level resource.

For details on this kind of authorization, see Bootstrapping root-level resources.

Parent-child resources

Most other resources have a parent-child-like relationship. For example, Documents might belong to an Organization.

For details on this kind of authorization, see Authorizing the creation of child resources.

Bootstrapping root-level resources

Resource creation authorization

Root-level resources (User, Organization)

Parent-child resources

Root-level resources (`User`, `Organization`)