Ory Keto ReBAC Policy & Relation Tuple Architecture

backend/internal/domain/keto_outbox.go

@@ -0,0 +1,48 @@
+package domain
+
+import (
+	"time"
+
+	"github.com/google/uuid"
+	"gorm.io/gorm"
+)
+
+// KetoOutbox status
+const (
+	KetoOutboxStatusPending   = "pending"
+	KetoOutboxStatusProcessed = "processed"
+	KetoOutboxStatusFailed    = "failed"
+)
+
+// KetoOutbox action
+const (
+	KetoOutboxActionCreate = "CREATE"
+	KetoOutboxActionDelete = "DELETE"
+)
+
+// KetoOutbox represents a Keto relationship tuple update event.
+type KetoOutbox struct {
+	ID         string    `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
+	Namespace  string    `gorm:"not null" json:"namespace"`
+	Object     string    `gorm:"not null" json:"object"`
+	Relation   string    `gorm:"not null" json:"relation"`
+	Subject    string    `gorm:"not null" json:"subject"` // format: "User:ID" or "Tenant:ID#members"
+	Action     string    `gorm:"not null" json:"action"`  // CREATE, DELETE
+	Status     string    `gorm:"default:'pending';index" json:"status"`
+	RetryCount int       `gorm:"default:0" json:"retryCount"`
+	LastError  string    `json:"lastError,omitempty"`
+	CreatedAt  time.Time `json:"createdAt"`
+	UpdatedAt  time.Time `json:"updatedAt"`
+	ProcessedAt *time.Time `json:"processedAt,omitempty"`
+}
+
+func (ko *KetoOutbox) TableName() string {
+	return "keto_outbox"
+}
+
+func (ko *KetoOutbox) BeforeCreate(tx *gorm.DB) (err error) {
+	if ko.ID == "" {
+		ko.ID = uuid.NewString()
+	}
+	return
+}

backend/internal/domain/tenant.go

@@ -15,9 +15,18 @@ const (
 	TenantStatusDeleted   = "deleted"
 )
 
+// Tenant types
+const (
+	TenantTypePersonal     = "PERSONAL"
+	TenantTypeCompany      = "COMPANY"
+	TenantTypeCompanyGroup = "COMPANY_GROUP"
+	TenantTypeUserGroup    = "USER_GROUP"
+)
+
 // Tenant represents a tenant model stored in PostgreSQL.
 type Tenant struct {
 	ID          string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
+	Type        string         `gorm:"not null;default:'PERSONAL'" json:"type"`   // PERSONAL, COMPANY, COMPANY_GROUP, USER_GROUP
 	ParentID    *string        `gorm:"type:uuid;index" json:"parentId,omitempty"` // 부모 테넌트 ID
 	Name        string         `gorm:"not null" json:"name"`
 	Slug        string         `gorm:"uniqueIndex;not null" json:"slug"`

backend/internal/domain/user.go

@@ -29,6 +29,8 @@ type User struct {
 	Tenant          *Tenant        `gorm:"foreignKey:TenantID" json:"tenant,omitempty"`
 	RelyingPartyID  *string        `gorm:"type:uuid;index" json:"relyingPartyId,omitempty"` // RP Admin용
 	Department      string         `json:"department"`
+	Position        string         `json:"position"` // 직급 (예: 수석, 책임, 선임)
+	JobTitle        string         `json:"jobTitle"` // 직무 (예: 프론트엔드 개발, 기획)
 	Metadata        JSONMap        `gorm:"type:jsonb" json:"metadata,omitempty"`
 	Status          string         `gorm:"default:'active'" json:"status"`
 	CreatedAt       time.Time      `json:"createdAt"`

backend/internal/domain/user_group.go

@@ -11,14 +11,17 @@ import (
 type UserGroup struct {
 	ID          string         `gorm:"primaryKey;type:uuid;default:gen_random_uuid()" json:"id"`
 	TenantID    string         `gorm:"type:uuid;index;not null" json:"tenantId"`
+	ParentID    *string        `gorm:"type:uuid;index" json:"parentId,omitempty"` // 상위 조직 ID
 	Name        string         `gorm:"not null" json:"name"`
 	Description string         `json:"description"`
+	UnitType    string         `json:"unitType"` // 부, 국, 팀, 셀 등
 	CreatedAt   time.Time      `json:"createdAt"`
 	UpdatedAt   time.Time      `json:"updatedAt"`
 	DeletedAt   gorm.DeletedAt `gorm:"index" json:"-"`
 
 	// Relationships
-	Members []User `gorm:"-" json:"members,omitempty"`
+	Parent  *UserGroup `gorm:"foreignKey:ParentID" json:"parent,omitempty"`
+	Members []User     `gorm:"-" json:"members,omitempty"`
 }
 
 type GroupRole struct {