[SOLVED] what is the best way to have a user assign permissions outside their own scope?

I have an "admin" account that can create documents in a collection.

I would like the documents it creates (with document security enabled) to have full permissions to its own user (the admin), and read and delete permissions for another user that I specify (a service account style user).

When I try this I get an error that seems to suggest my admin user can only set permissions equal to: any, users, itself, itself(verified), users(verified), and team(that it is a member of).

Is there a setting I can enable on this account that allows it to perform these actions or am I best creating a function for this kind of functionality.

I am currently using the websdk

TL;DR

The user is trying to assign permissions outside their own scope in an app using Appwrite. They want to grant access to a document created by an admin user to another user. However, they are receiving an error stating that the admin user can only set permissions equal to certain options. They are asking if there is a setting to enable or if they should create a function for this functionality. Solution: The admin user should be given access at the collection level instead of the document level. This can be done by setting permissions on the collection itself.

can you give the admin access at the collection level?

I have given them full permissions on the collection level

then no need to add them at the document level

TypeScript

ERROR Error: Uncaught (in promise): AppwriteException: Permissions must be one of: (any, users, user:6410dc3c5c74561cb5a3, user:6410dc3c5c74561cb5a3/verified, users/verified, team:6410dad5d1d004c0a990, member:6410dc5623975c5eedea, team:6410dad5d1d004c0a990/admin)
AppwriteException@http://localhost:4200/vendor.js:78897:5

Is the exact error, and when I reference the id's that it complains about they correspond to the id's of the user, and the team that the user is a member of.

what's your code?

Adding permissions for the admin account is already taken care of. The problem is that I need the admin to also grant another user access to that document and it doesn't seem like it is supported.

TypeScript

const newTerm = await Api.database().createDocument<TerminalModel>(
        Server.database,
        Server.terminalCollection,
        ID.unique(),
        terminal,
        [
          // Permissions for standard logged in users
          Permission.read(Role.user(Server.adminUserId)),
          Permission.update(Role.user(Server.adminUserId)),
          Permission.delete(Role.user(Server.adminUserId)),
          // Permissions for the agent who will deploy these terminals
          Permission.read(Role.user(agent)),
          Permission.delete(Role.user(agent)),
        ]
      );

Is the snippet that I create the document with

wait sorry. i meant can you give the service account access at hte collection level

I could do that but I'm trying to just have 1 big collection of "jobs" that the "service accounts" will pull from. And to prevent the service accounts from stepping on each others workloads I thought I could use appwrite permissions to make each account only able to see its assigned jobs.

i see. you'll either need a function to create the document or separate collections per service account so your can put the service account at the collection level permission

Alright thank you very much. Wanted to make sure there wasn't something I was missing from the appwrite features.

I understand that it would depend on a lot of things but which approach would you take for something like this?

Definitely depends. one interesting thing about the collection route is you would have to find a way to let the client app figure out which collection to use since it would be dynamic