fix: improve keto sync reliability and initial rebac permissions for super admin

docker/ory/keto/namespaces.ts

@@ -2,11 +2,23 @@ import { Namespace, Subject, Context, SubjectSet } from "@ory/keto-definitions"
 
 class User implements Namespace {}
 
+class System implements Namespace {
+  related: {
+    super_admins: User[]
+    authenticated_users: User[]
+  }
+
+  permits = {
+    manage_all: (ctx: Context): boolean =>
+      this.related.super_admins.includes(ctx.subject)
+  }
+}
+
 class Tenant implements Namespace {
   related: {
-    owners: User[]
-    admins: User[]
-    members: User[]
+    owners: (User | SubjectSet<System, "super_admins">)[]
+    admins: (User | SubjectSet<System, "super_admins">)[]
+    members: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
     parents: Tenant[]
   }
 
@@ -33,9 +45,9 @@ class Tenant implements Namespace {
 
 class RelyingParty implements Namespace {
   related: {
-    admins: User[]
+    admins: (User | SubjectSet<System, "super_admins"> | SubjectSet<Tenant, "admins"> | SubjectSet<Tenant, "owners">)[]
     parents: Tenant[]
-    access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users">)[]
+    access: (User | SubjectSet<Tenant, "members"> | SubjectSet<System, "authenticated_users"> | SubjectSet<System, "super_admins">)[]
   }
 
   permits = {
@@ -52,15 +64,3 @@ class RelyingParty implements Namespace {
       this.permits.manage(ctx)
   }
 }
-
-class System implements Namespace {
-  related: {
-    super_admins: User[]
-    authenticated_users: User[]
-  }
-
-  permits = {
-    manage_all: (ctx: Context): boolean =>
-      this.related.super_admins.includes(ctx.subject)
-  }
-}

docker/ory/oathkeeper/rules.active.json

@@ -156,4 +156,4 @@
     "authorizer": { "handler": "allow" },
     "mutators": [{ "handler": "noop" }]
   }
-]
+]