hmm... i wonder if it'd be possible with check explains?

define it using caveats, send a request with context for authz and then send a request with explain and without context for the retrieval

see `with_tracing`: https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.CheckPermissionRequest

and you should be able to test with

zed permission check --explain

i think you might not even need a second request 🤔

If i have to join this with the List Objects/User. I will have to call the explain api per row of output right?

Hello again, I assume that Materialize is not an add-on but comes preloaded with your dedicated platform SpiceDB? Do you already provide this application to customers outside the US? From your website I see some big names as current customers. Have you already implemented Materialise to national or regional healthcare providers? We are working with a national health service outside of the US; however, this entity was made up of smaller trusts and some of their data was partitioned separately while some databases were accessible throughout the board. These trusts are merging AGAIN, therefore, they are looking to streamline and integrate the current system and possibly make comprehensive use from the word GO of Materialize for initial audits. Any ideas, tips or experiences?

Hi folks! SpiceDB dev here, would adding a flag to disable tracing for healthcheck calls be useful?

Hi we have the following schema: """" definition user {} definition usergroup { relation direct_member: resoucre_pool_group permission member = direct_member } definition resource_pool_group { relation parent: resource_pool_group relation owner: user | usergroup#member relation can_edit: user | usergroup#member permission edit = parent->edit + owner permission explicitly_permitted = owner permission can_edit_permission = owner + can_edit } definition project { relation resource_pool_group: resource_pool_group relation responsible_team: usergroup relation owner: user | usergroup#member permission edit = owner + responsible_team->member + resource_pool_group->edit permission create_deployment = owner + responsible_team->member permission resources_editor = resource_pool_group->member } """" and we have about 10k objects, when we use checkbulk it takes something like 3 sec, is it normal or we need to change your schema for performance improvement?

Hello. We are evaluating SpiceDB for use as a relationship platform, and I'm wondering about the status of the REST API. I see a lot of POST requests and no GET, as well as a number of deprecated APIs. Is the REST API a first-class citizen in SpiceDB or is it preferred to use GRPC?

Hey @yetitwo , I just found this 2022 message of yours 😆 Did you manage to setup the zed validate within circleci? I'm having some trouble doing so

Hey all, are the official client libraries only usable if we use the hosted solution or can we use them to connect to a self-hosted SpiceDB instance? Looking at the initializing client section it says you need an "API token from the Authzed dashboard" if the client library only works with hosted, what's the recommended way to interface with a self hosted spicedb instance? https://github.com/authzed/authzed-node

Hello, we need some use-case/schema modelling assistance - We're trying to model a sort-of-attribute-based authz with our existing SpiceDB Schema. We looked at the ABAC guide here - https://authzed.com/docs/spicedb/modeling/attributes and while it would work for some of our cases (not all), it seems like the recommended way to do it is via Caveats. We need to be able to give permissions to a resource(A) in a few ways 1. Only if a 'setting' is enabled in a related resource(B). 2. Only if a certain condition (ideally sent in the caveat context) in the related resource(B) is true The problem we're running into is that caveats seem to be defined only against relations and not permissions. With that constraint, we cannot use the same relation across multiple permissions, only some of which might require that caveat. I've made a small reproducible schema with comments on what we're stuck on - https://play.authzed.com/s/C2CfvNEhS2mj/schema Any help/alternative ways to achieve what we want would be highly appreciated!

Hii.. we have been struggling for a while with latency and haven't been able to solve it. At the beggining we thought it had to do with our schema, but even when it does a direct relation check it is still slow. Is this expected? Looking at our pods, both of spicedb and postgres there is no CPU or memory issue. Would love any help or tips

js
✓ issue:23246 view (220.908873ms)
├── ⨉ issue:23246 n_cc (2.714128ms)
└── ✓ portfolio:2 view (170.977547ms)
    └── ✓ portfolio:2 admin (162.245418ms)
        └── ✓ tenant:1 is_admin (149.084628ms)
            └── ✓ tenant:1 super_admin (139.782078ms)
                └── ✓ role:super_admin_1 neighbour (23.867279ms)
                    └── neighbour:15

Howdy, is there any way to split the definitions of permissions in the schema.zed file to multiple lines? We've got a few lines that are getting very very long

yes, it follows the same rules as Go: make sure to put an operator as the last item on the previous line

awesome, thank you! I was putting the operator on the next line

Hello, I have a question regarding schema definitions and user defined roles, been reading the [article](https://authzed.com/blog/user-defined-roles) about user-defined roles, but I does not really fit my example as I want to have the predefined roles int the schema itself. I have a system that has users that belongs to orgs, apps that belongs to orgs and users can have roles over apps, viewer, editor admin. The available permissions for these predefined roles are. - admin: create/delete/view/edit - viewer: view - editor: view/edit. I would like to provide custom roles at the org level. I have came up [with a solution](https://play.authzed.com/s/6tI77U6bCyxb/schema) that I think works good, but given that I am pretty new to this, I am unsure whether I am doing something totally wrong What I do is I define orgs/app/users as definitions and also a new one called

custom_role

, where I define the organization relationship, and also 'self relationships' one per 'permissions' in apps. With this in-place I just need to add these custom_org permissions from orgs to the calculation of app permissions, is this correct?

Just a heads-up, on Dec 10th we have a SpiceDB Live session where @yetitwo demoes a new open source

spicedb-parser-js

. We also have Atikur who will demo a UI he built for SpiceDB called Lens. This will be right here in Discord: https://discord.gg/RGCKZQQz?event=1443309664275136785

Hi guys! What's the status of getting a new version of the operator released? 🙂 It's currently trailing by quite a few versions!

Hi all, we're running some operations on spicedb in a script which is lightly hitting the service to set up some relationships. We run this script and everything goes well until we randomly get "403 unauthorized" errors when calling spicedb. This happens on read and write calls, I don't see a consistent set of records it's choking up on. Any idea what the issue may be or where I should investigate?

Thanks for having me today! Had a great time demoing SpiceDB Lens. Would really appreciate it if you could give it a try and share any feedback - always looking to improve! https://www.spicedblens.com/download

Hi folks, we're going through https://authzed.com/docs/spicedb/concepts/expiring-relationships and noticed the newly recommended

<type> with expiration

delegates value of

now

to the underlying data store. About this: > It requires clients to provide the now timestamp. This is additional complexity for clients. Conversely, client-side provision of that value is crucial to our systems. We use TimeProvider abstraction in .NET that serves as the central source of truth for time, meaning we always override data stores' internal clocks by explicitly setting time columns/fields. Our TimeProvider is backed by different sources across projects, but what's important is that the app decides what

now

is, not any of the data stores or other infra. So we've skimmed and weren't able to find any notes on this: if specifying

now

for

<type> with expiration

is planned, unplanned or outright technically impossible to implement even in the future. If anyone could advise please. Thanks.

Hello all ! I have a schema in which I have a recursive relation : Parent I also have a relation "secured" that is partly calculated on that parent relation. the issue I have is when I get to the top item, that has no parent. is there a way to add a condition in the permission to not go further and ignore the permission check on that root item ? here is a schema definition conaitning the idea :

definition workspace {
    relation parent: workspace
    permission secured = parent->secured & other_irrelevant_perm
    permission other_irrelevant_perm = <the other permission checked at each level>
}

is there a way to ignore the `parent->secured`if

parent

has no relations ?

you'd have to use a union with

parent->secured

to something like "all users" or a wildcard on the "root" workspace

there isn't a way right now to do a "conditional" intersection

but if I add a union on the parent->secured and a wildcard, the wildcard will always be true, so the parent->secured will never actually have any impact no ?,

oh, you mean that wildcard would only bez true for the root workspace ?

yes

👋 hi everyone, I’m curious whether anyone has experience with what is the most scalable of two approaches. For a definition, we have a relationship that determines whether a resource has been made sharable. If not set, it’s private. We now need to be able to display whether the resource is private in the UI. The two options we are considering are: caching the sharable state in the DB so when we load the resource we already have all the data we need to display it and we just need to do an access check on SpiceDB. This requires that we keep the DB and SpiceDB in sync. Or, we can add a second call to SpiceDB to check whether the relationship is there and augment the results we get from the DB. We’ll need this for both querying for a single resource as well as querying for a list of resources.