super_auth 0.1.5 → 0.3.0

data/config/routes.rb

@@ -0,0 +1,73 @@
+SuperAuth::Engine.routes.draw do
+  # Main graph visualization interface
+  get '/', to: 'graph#index', as: :root
+  get '/graph', to: 'graph#index'
+
+  # Graph data API
+  get '/graph/data', to: 'graph#data'
+  get '/graph/orphaned', to: 'graph#orphaned'
+  post '/graph/compile_authorizations', to: 'graph#compile_authorizations'
+
+  # Authorization check
+  get '/graph/authorize', to: 'graph#authorize'
+
+  # Legacy visualization endpoint
+  get '/visualization', to: 'graph#visualization'
+
+  # CRUD operations for graph entities
+  scope :graph do
+    resources :users, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_user
+      end
+      member do
+        delete '/', action: :delete_user
+      end
+    end
+
+    resources :groups, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_group
+      end
+      member do
+        delete '/', action: :delete_group
+      end
+    end
+
+    resources :roles, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_role
+      end
+      member do
+        delete '/', action: :delete_role
+      end
+    end
+
+    resources :permissions, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_permission
+      end
+      member do
+        delete '/', action: :delete_permission
+      end
+    end
+
+    resources :graph_resources, only: [:create, :destroy], controller: 'graph', path: 'resources' do
+      collection do
+        post '/', action: :create_resource
+      end
+      member do
+        delete '/', action: :delete_resource
+      end
+    end
+
+    resources :edges, only: [:create, :destroy], controller: 'graph' do
+      collection do
+        post '/', action: :create_edge
+      end
+      member do
+        delete '/', action: :delete_edge
+      end
+    end
+  end
+end

data/db/migrate/1_users.rb

@@ -3,6 +3,7 @@ Sequel.migration do
     create_table(:super_auth_users) do
       primary_key :id
       String :external_id # , null: false
+      String :external_type # , null: false
       String :name
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP

data/db/migrate/2_groups.rb

@@ -1,9 +1,16 @@
 Sequel.migration do
   up do
+    is_postgres = self.database_type == :postgres
+
     create_table(:super_auth_groups) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :super_auth_groups, deferrable: true, type: :integer
+      # deferrable constraints only supported in PostgreSQL
+      if is_postgres
+        foreign_key :parent_id, :super_auth_groups, deferrable: true, type: :integer
+      else
+        foreign_key :parent_id, :super_auth_groups, type: :integer
+      end
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end

data/db/migrate/4_roles.rb

@@ -1,9 +1,16 @@
 Sequel.migration do
   up do
+    is_postgres = self.database_type == :postgres
+
     create_table(:super_auth_roles) do
       primary_key :id
       String :name, null: false
-      foreign_key :parent_id, :super_auth_roles, deferrable: true, type: :integer
+      # deferrable constraints only supported in PostgreSQL
+      if is_postgres
+        foreign_key :parent_id, :super_auth_roles, deferrable: true, type: :integer
+      else
+        foreign_key :parent_id, :super_auth_roles, type: :integer
+      end
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end

data/db/migrate/5_resources.rb

@@ -4,6 +4,7 @@ Sequel.migration do
       primary_key :id
       String :name
       String :external_id # , null: false
+      String :external_type # , null: false
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end

data/db/migrate/7_authorization.rb

@@ -4,6 +4,7 @@ Sequel.migration do
       Integer :user_id, null: true
       String :user_name, null: true
       String :user_external_id, null: true
+      String :user_external_type, null: true
       DateTime :user_created_at, null: true
       DateTime :user_updated_at, null: true
       Integer :group_id, null: true
@@ -28,6 +29,7 @@ Sequel.migration do
       Integer :resource_id, null: true
       String :resource_name, null: true
       String :resource_external_id, null: true
+      String :resource_external_type, null: true
       DateTime :created_at, null: false, default: Sequel::CURRENT_TIMESTAMP
       DateTime :updated_at, null: false, default: Sequel::CURRENT_TIMESTAMP
     end

data/db/migrate/8_add_indexes_to_edges.rb

@@ -0,0 +1,17 @@
+Sequel.migration do
+  up do
+    add_index :super_auth_edges, :user_id
+    add_index :super_auth_edges, :group_id
+    add_index :super_auth_edges, :role_id
+    add_index :super_auth_edges, :permission_id
+    add_index :super_auth_edges, :resource_id
+  end
+
+  down do
+    drop_index :super_auth_edges, :user_id
+    drop_index :super_auth_edges, :group_id
+    drop_index :super_auth_edges, :role_id
+    drop_index :super_auth_edges, :permission_id
+    drop_index :super_auth_edges, :resource_id
+  end
+end

data/db/migrate/9_add_by_current_user_index.rb

@@ -0,0 +1,12 @@
+Sequel.migration do
+  up do
+    add_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+  down do
+    drop_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+end

data/db/migrate_activerecord/20250101000001_create_super_auth_users.rb

@@ -0,0 +1,10 @@
+class CreateSuperAuthUsers < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_users do |t|
+      t.string :external_id
+      t.string :external_type
+      t.string :name
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000002_create_super_auth_groups.rb

@@ -0,0 +1,11 @@
+class CreateSuperAuthGroups < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_groups do |t|
+      t.string :name, null: false
+      t.bigint :parent_id
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    add_foreign_key :super_auth_groups, :super_auth_groups, column: :parent_id
+  end
+end

data/db/migrate_activerecord/20250101000003_create_super_auth_permissions.rb

@@ -0,0 +1,8 @@
+class CreateSuperAuthPermissions < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_permissions do |t|
+      t.string :name, null: false
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000004_create_super_auth_roles.rb

@@ -0,0 +1,11 @@
+class CreateSuperAuthRoles < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_roles do |t|
+      t.string :name, null: false
+      t.bigint :parent_id
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+
+    add_foreign_key :super_auth_roles, :super_auth_roles, column: :parent_id
+  end
+end

data/db/migrate_activerecord/20250101000005_create_super_auth_resources.rb

@@ -0,0 +1,10 @@
+class CreateSuperAuthResources < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_resources do |t|
+      t.string :name
+      t.string :external_id
+      t.string :external_type
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000006_create_super_auth_edges.rb

@@ -0,0 +1,12 @@
+class CreateSuperAuthEdges < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_edges do |t|
+      t.references :user, foreign_key: { to_table: :super_auth_users }, null: true
+      t.references :group, foreign_key: { to_table: :super_auth_groups }, null: true
+      t.references :permission, foreign_key: { to_table: :super_auth_permissions }, null: true
+      t.references :role, foreign_key: { to_table: :super_auth_roles }, null: true
+      t.references :resource, foreign_key: { to_table: :super_auth_resources }, null: true
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000007_create_super_auth_authorizations.rb

@@ -0,0 +1,41 @@
+class CreateSuperAuthAuthorizations < ActiveRecord::Migration[7.0]
+  def change
+    create_table :super_auth_authorizations do |t|
+      t.integer :user_id
+      t.string :user_name
+      t.string :user_external_id
+      t.string :user_external_type
+      t.datetime :user_created_at
+      t.datetime :user_updated_at
+
+      t.integer :group_id
+      t.string :group_name
+      t.string :group_path
+      t.string :group_name_path
+      t.string :group_parent_name
+      t.string :group_parent_id
+      t.datetime :group_created_at
+      t.datetime :group_updated_at
+
+      t.integer :role_id
+      t.string :role_name
+      t.string :role_path
+      t.string :role_name_path
+      t.string :role_parent_id
+      t.datetime :role_created_at
+      t.datetime :role_updated_at
+
+      t.integer :permission_id
+      t.string :permission_name
+      t.datetime :permission_created_at
+      t.datetime :permission_updated_at
+
+      t.integer :resource_id
+      t.string :resource_name
+      t.string :resource_external_id
+      t.string :resource_external_type
+
+      t.timestamps default: -> { "CURRENT_TIMESTAMP" }
+    end
+  end
+end

data/db/migrate_activerecord/20250101000009_add_by_current_user_index_to_super_auth_authorizations.rb

@@ -0,0 +1,7 @@
+class AddByCurrentUserIndexToSuperAuthAuthorizations < ActiveRecord::Migration[8.0]
+  def change
+    add_index :super_auth_authorizations,
+      [:user_external_id, :resource_external_type, :resource_external_id],
+      name: :idx_sa_auth_by_current_user
+  end
+end

data/db/seeds/sample_data.rb

@@ -0,0 +1,193 @@
+# Sample data based on the README examples
+# This seed file creates a complete authorization graph for demonstration
+
+puts "Creating sample data for SuperAuth..."
+
+# Initialize SuperAuth
+require 'super_auth'
+SuperAuth.load
+
+# Detect which ORM we're using
+if defined?(SuperAuth::ActiveRecord::User)
+  User = SuperAuth::ActiveRecord::User
+  Group = SuperAuth::ActiveRecord::Group
+  Role = SuperAuth::ActiveRecord::Role
+  Permission = SuperAuth::ActiveRecord::Permission
+  Resource = SuperAuth::ActiveRecord::Resource
+  Edge = SuperAuth::ActiveRecord::Edge
+else
+  User = SuperAuth::User
+  Group = SuperAuth::Group
+  Role = SuperAuth::Role
+  Permission = SuperAuth::Permission
+  Resource = SuperAuth::Resource
+  Edge = SuperAuth::Edge
+end
+
+# Clear existing data (optional - comment out if you don't want this)
+puts "Clearing existing data..."
+Edge.delete_all
+Group.update_all(parent_id: nil)
+Role.update_all(parent_id: nil)
+User.delete_all
+Group.delete_all
+Role.delete_all
+Permission.delete_all
+Resource.delete_all
+
+# Create users
+puts "Creating users..."
+peter = User.create!(name: 'Peter')
+michael = User.create!(name: 'Michael')
+bethany = User.create!(name: 'Bethany')
+eloise = User.create!(name: 'Eloise')
+anna = User.create!(name: 'Anna')
+dillon = User.create!(name: 'Dillon')
+guest = User.create!(name: 'Guest')
+
+# Create group hierarchy
+puts "Creating groups..."
+company = Group.create!(name: 'Company')
+engineering_dept = Group.create!(name: 'Engineering_dept', parent: company)
+backend = Group.create!(name: 'Backend', parent: engineering_dept)
+frontend = Group.create!(name: 'Frontend', parent: engineering_dept)
+sales_department = Group.create!(name: 'Sales Department', parent: company)
+marketing_department = Group.create!(name: 'Marketing Department', parent: company)
+customers = Group.create!(name: 'Customers')
+customer_a = Group.create!(name: 'CustomerA', parent: customers)
+customer_b = Group.create!(name: 'CustomerB', parent: customers)
+vendors = Group.create!(name: 'Vendors')
+vendor_a = Group.create!(name: 'VendorA', parent: vendors)
+vendor_b = Group.create!(name: 'VendorB', parent: vendors)
+
+# Create role hierarchy
+puts "Creating roles..."
+employee = Role.create!(name: 'Employee')
+engineering = Role.create!(name: 'Engineering', parent: employee)
+senor_software_dev = Role.create!(name: 'Señor Software Developer', parent: engineering)
+senor_designer = Role.create!(name: 'Señor Designer', parent: engineering)
+software_developer = Role.create!(name: 'Software Developer', parent: engineering)
+production_support = Role.create!(name: 'Production Support', parent: engineering)
+sales_and_marketing = Role.create!(name: 'Sales and Marketing', parent: employee)
+marketing_manager = Role.create!(name: 'Marketing Manager', parent: sales_and_marketing)
+marketing_associate = Role.create!(name: 'Marketing Associate', parent: sales_and_marketing)
+customer_role = Role.create!(name: 'CustomerRole')
+
+# Create permissions
+puts "Creating permissions..."
+create_perm = Permission.create!(name: 'create')
+read_perm = Permission.create!(name: 'read')
+update_perm = Permission.create!(name: 'update')
+delete_perm = Permission.create!(name: 'delete')
+invoice_perm = Permission.create!(name: 'invoice')
+login_perm = Permission.create!(name: 'login')
+reboot_perm = Permission.create!(name: 'reboot')
+deploy_perm = Permission.create!(name: 'deploy')
+sign_contract_perm = Permission.create!(name: 'sign_contract')
+subscribe_perm = Permission.create!(name: 'subscribe')
+unsubscribe_perm = Permission.create!(name: 'unsubscribe')
+publish_design_perm = Permission.create!(name: 'publish_design')
+
+# Create resources
+puts "Creating resources..."
+app1 = Resource.create!(name: 'app1')
+app2 = Resource.create!(name: 'app2')
+staging = Resource.create!(name: 'staging')
+db1 = Resource.create!(name: 'db1')
+db2 = Resource.create!(name: 'db2')
+core_design_template = Resource.create!(name: 'core_design_template')
+customer_profile = Resource.create!(name: 'customer_profile')
+marketing_website = Resource.create!(name: 'marketing_website')
+customer_post1 = Resource.create!(name: 'customer_post1')
+customer_post2 = Resource.create!(name: 'customer_post2')
+customer_post3 = Resource.create!(name: 'customer_post3')
+
+# Create edges (authorization relationships)
+puts "Creating authorization edges..."
+
+# Example 1: Peter can access core_design_template through Frontend -> Engineering -> CRUD
+Edge.create!(user: peter, group: frontend)
+Edge.create!(group: frontend, role: engineering)
+Edge.create!(role: engineering, permission: create_perm)
+Edge.create!(role: engineering, permission: read_perm)
+Edge.create!(role: engineering, permission: update_perm)
+Edge.create!(role: engineering, permission: delete_perm)
+Edge.create!(resource: core_design_template, permission: create_perm)
+Edge.create!(resource: core_design_template, permission: read_perm)
+Edge.create!(resource: core_design_template, permission: update_perm)
+Edge.create!(resource: core_design_template, permission: delete_perm)
+
+# Example 2: Michael can deploy to app1 through Backend -> Production Support
+Edge.create!(user: michael, group: backend)
+Edge.create!(group: backend, role: production_support)
+Edge.create!(role: production_support, permission: deploy_perm)
+Edge.create!(permission: deploy_perm, resource: app1)
+
+# Example 3: Anna can read customer posts through CustomerA -> CustomerRole
+Edge.create!(user: anna, group: customer_a)
+Edge.create!(group: customer_a, role: customer_role)
+Edge.create!(role: customer_role, permission: read_perm)
+Edge.create!(permission: read_perm, resource: customer_post1)
+Edge.create!(permission: read_perm, resource: customer_post2)
+
+# Additional scenarios for demonstration
+
+# Bethany has multiple authorization paths
+Edge.create!(user: bethany, group: engineering_dept)
+Edge.create!(group: engineering_dept, role: engineering)
+Edge.create!(permission: read_perm, resource: staging)
+
+# Bethany also has direct role assignment
+Edge.create!(user: bethany, role: production_support)
+Edge.create!(permission: deploy_perm, resource: staging)
+
+# Dillon has direct resource access (simplest path)
+Edge.create!(user: dillon, resource: db1)
+
+# Eloise has user -> permission -> resource path
+Edge.create!(user: eloise, permission: reboot_perm)
+Edge.create!(permission: reboot_perm, resource: db2)
+
+# Marketing department scenario
+Edge.create!(user: anna, group: marketing_department)
+Edge.create!(group: marketing_department, role: marketing_associate)
+Edge.create!(role: marketing_associate, permission: subscribe_perm)
+Edge.create!(role: marketing_associate, permission: unsubscribe_perm)
+Edge.create!(permission: subscribe_perm, resource: customer_profile)
+Edge.create!(permission: unsubscribe_perm, resource: customer_profile)
+
+# Vendor access
+Edge.create!(user: michael, group: vendor_a)
+Edge.create!(group: vendor_a, permission: invoice_perm)
+Edge.create!(permission: invoice_perm, resource: app1)
+
+# Company-wide access
+Edge.create!(user: bethany, group: company)
+Edge.create!(group: company, role: employee)
+Edge.create!(role: employee, permission: login_perm)
+Edge.create!(permission: login_perm, resource: app2)
+
+# Senior Designer role
+Edge.create!(user: peter, group: frontend) # Already created above, but illustrating
+Edge.create!(group: frontend, role: senor_designer)
+Edge.create!(role: senor_designer, permission: publish_design_perm)
+Edge.create!(permission: publish_design_perm, resource: marketing_website)
+
+# Backend developers sharing permissions
+Edge.create!(user: dillon, group: backend)
+Edge.create!(group: backend, role: software_developer)
+Edge.create!(role: software_developer, permission: update_perm)
+Edge.create!(permission: update_perm, resource: staging)
+
+# Senior software developer with multiple permissions
+# (Michael already has vendor_a group)
+Edge.create!(group: backend, role: senor_software_dev)
+Edge.create!(role: senor_software_dev, permission: read_perm)
+Edge.create!(role: senor_software_dev, permission: update_perm)
+Edge.create!(role: senor_software_dev, permission: deploy_perm)
+# Resources already connected above
+
+puts "Sample data created successfully!"
+puts "#{User.count} users, #{Group.count} groups, #{Role.count} roles"
+puts "#{Permission.count} permissions, #{Resource.count} resources"
+puts "#{Edge.count} authorization edges"

data/lib/basic_loader.rb

@@ -1,5 +1,3 @@
-# frozen_string_literal: true
-
 # File generated automatically, do not edit
 # See https://blog.pawelpokrywka.com/p/gem-with-zeitwerk-as-development-only-dependency
 

data/lib/generators/super_auth/install/install_generator.rb

@@ -0,0 +1,19 @@
+require 'rails/generators'
+
+module SuperAuth
+  module Generators
+    class InstallGenerator < Rails::Generators::Base
+      source_root File.expand_path('../templates', __FILE__)
+
+      desc "Creates a SuperAuth initializer"
+
+      def copy_initializer
+        template 'super_auth.rb', 'config/initializers/super_auth.rb'
+      end
+
+      def show_readme
+        readme 'README' if behavior == :invoke
+      end
+    end
+  end
+end

data/lib/generators/super_auth/install/templates/README

@@ -0,0 +1,29 @@
+===============================================================================
+
+SuperAuth initializer created at config/initializers/super_auth.rb
+
+Next steps:
+
+1. Run migrations to create the database tables:
+
+   SuperAuth.install_migrations
+
+   You can run this in the Rails console or add it to a rake task.
+
+2. Mount the engine in config/routes.rb:
+
+   mount SuperAuth::Engine => '/super_auth'
+
+3. (Optional) Load sample data to see the visualization in action:
+
+   rails runner "load File.join(SuperAuth::Engine.root, 'db/seeds/sample_data.rb')"
+
+4. Start your Rails server and visit:
+
+   http://localhost:3000/super_auth/visualization
+
+For more information, see:
+- VISUALIZATION.md for full documentation
+- README.md for usage examples
+
+===============================================================================

data/lib/generators/super_auth/install/templates/super_auth.rb

@@ -0,0 +1,7 @@
+# SuperAuth Initializer
+# The SuperAuth Railtie automatically connects to your database and loads all
+# models on boot. Use this file for any additional configuration.
+#
+# SuperAuth.setup do |config|
+#   # configuration options here
+# end

data/lib/super_auth/active_record/by_current_user.rb

@@ -1,24 +1,39 @@
 module SuperAuth::ActiveRecord::ByCurrentUser
   def self.included(base)
-    base.has_many :super_auth_authorizations
-
     base.send(:default_scope, **{all_queries: true}) do
-      raise "SuperAuth.current_user not set" if SuperAuth.current_user.blank?
+      next none if SuperAuth.current_user.blank?
 
-      if SuperAuth.current_user.system?
+      if SuperAuth.current_user.respond_to?(:system?) && SuperAuth.current_user.system?
         self
       else
-        # Important:
-        # We use a subquery here instead of a inner join because we don't want
-        # to potentially affect break on queries issue count queries in their app.
-        where(id: SuperAuth::ActiveRecord::Authorization.where(super_auth_user_id: SuperAuth.current_user.id).select(:resource_id))
+        user_where =
+        if SuperAuth.current_user.is_a?(SuperAuth::ActiveRecord::User)
+          { user_id: SuperAuth.current_user.id }
+        else
+          { user_external_id: SuperAuth.current_user.id, user_external_type: SuperAuth.current_user.class.name }
+        end
+
+        resource_type = self.model.name
+
+        # Type-level authorization (resource_external_id IS NULL) acts as wildcard:
+        # user has access to ALL records of this type (e.g., admin with ADMIN_ACCESS).
+        type_level = SuperAuth::ActiveRecord::Authorization
+          .where(**user_where, resource_external_type: resource_type, resource_external_id: nil)
+
+        if type_level.exists?
+          self
+        else
+          # Per-record authorization: filter to specific records the user can access.
+          where(
+            id: SuperAuth::ActiveRecord::Authorization
+                .where(**user_where, resource_external_type: resource_type)
+                .where.not(resource_external_id: nil)
+                .select(:resource_external_id))
+        end
       end
     end
   end
 
-  def system? = false
-
   module ClassMethods
   end
-
 end

data/lib/super_auth/active_record/edge.rb

@@ -1,3 +1,48 @@
 class SuperAuth::ActiveRecord::Edge < ActiveRecord::Base
   self.table_name = 'super_auth_edges'
+  belongs_to :user, class_name: 'SuperAuth::ActiveRecord::User', optional: true
+  belongs_to :group, class_name: 'SuperAuth::ActiveRecord::Group', optional: true
+  belongs_to :permission, class_name: 'SuperAuth::ActiveRecord::Permission', optional: true
+  belongs_to :role, class_name: 'SuperAuth::ActiveRecord::Role', optional: true
+  belongs_to :resource, class_name: 'SuperAuth::ActiveRecord::Resource', optional: true
+
+  class << self
+    def authorizations
+      from("(#{
+        SuperAuth::Edge.authorizations.sql
+        }) as super_auth_edges".squish
+      )
+    end
+
+    def users_resources
+      SuperAuth::ActiveRecord::Edge.from(
+        %Q[(#{SuperAuth::Edge.users_resources.sql}) as super_auth_edges]
+      )
+    end
+
+    def users_groups_roles_permissions_resources
+      SuperAuth::ActiveRecord::Edge.from(
+        %Q[(#{SuperAuth::Edge.users_groups_roles_permissions_resources.sql}) as super_auth_edges]
+      )
+    end
+
+    def users_groups_permissions_resources
+      SuperAuth::ActiveRecord::Edge.from(
+        %Q[(#{SuperAuth::Edge.users_groups_permissions_resources.sql}) as super_auth_edges]
+      )
+    end
+
+    def users_roles_permissions_resources
+      SuperAuth::ActiveRecord::Edge.from(
+        %Q[(#{SuperAuth::Edge.users_roles_permissions_resources.sql}) as super_auth_edges]
+      )
+    end
+
+    def users_permissions_resources
+      SuperAuth::ActiveRecord::Edge.from(
+        %Q[(#{SuperAuth::Edge.users_permissions_resources.sql}) as super_auth_edges]
+      )
+    end
+  end
+
 end

data/lib/super_auth/active_record/group.rb

@@ -1,3 +1,10 @@
 class SuperAuth::ActiveRecord::Group < ActiveRecord::Base
   self.table_name = 'super_auth_groups'
+
+  belongs_to :parent, class_name: 'SuperAuth::ActiveRecord::Group', optional: true
+
+  def descendants_dataset
+    sql = SuperAuth::Group.new(id: self.id, parent_id: self.parent_id).descendants_dataset.sql
+    self.class.from(%Q[(#{sql}) as super_auth_groups])
+  end
 end