looks like it was copied without the escaping being taken into account

I'm trying to represent users, groups, and resources over - DIDs (users) - AtURI (content-addressable resource ids:

<did>/<space>/[nsid]/<rkey>

) [full schema](https://github.com/blebbit/atproto/blob/main/packages/pds/src/authz/spicedb/schema/atproto.zed) I have a resource type for each segment of the segments, with a parenting setup to support nesting/hierarchy, and each AtUri has an associate data record tied to it, except for

nsid

. They are only for structuring records and granting permissions, in OAuth scopes today, and content/methods tbd, that's what I'm working on. NSID are defined by any DID, it's a very dynamic list. There are

nsid

for queries and procedures that will never have records, but we still want to put permissions over them. Certain

nsid

are expected to have high numbers of records and storing the parenting relationship in spice, which seems inefficient? Are caveats something that can help me here? What if those caveats are large sets? The new way to specify OAuth scopes over the dynamic NSID is as a permission set https://github.com/bluesky-social/proposals/blob/main/0011-auth-scopes/README.md#permission-sets I image we need something similar for the custom roles that we want in the content permission system, and then have to reflect those within spice by making a number of calls, or a bulk input? (maybe one day even replace the OAuth permission setup and unify the two... #futurology)

If I’m deploying the same service in Dublin, New Jersey, North Carolina can I get away with using PostgreSQL? What approaches do folks take?

Would I have to take care of atomic txg that span across all regions using something like Temporal Workflows to update individual SpiceDBs in PG?

if you're deploying multi-region, you need to use a multi-HA system like CRDB or you need to have all writes going to a single region

external transaction managers will not work

What strategy can I use for reads ? Sync / Async replication to the local sites ?

you can use read replica support

but I would recommend using CRDB

Is SpiceDB sticking with the feature set that is available in the latest Apache v2 licensed version?

?

CRDB went BSL

Im wondering if spicedb is going to use features available in the BSL versions, its the reason I was looking at PG

unless CRDB moves more features to BSL, I don't see that being the case

One of the challenges in authz systems is understanding what attributes are required in order to allow someone to be granted access to- especially when they are denied access. I am new to spicedb so can you please help me understand how this problem is addressed?

in what context?

one thing that may help is the

--explain

flag on

zed

calls - it can show you the path by which a user was (or wasn't) granted access. i don't think it will compare it to the entire schema as it's currently implemented - it will only tell you where the path starts and ends. otherwise my usual approach is to manually trace based on reading the schema and issuing readrels to check hops. this could be a nice enhancement for zed, though.

Thank you. I will spend some time looking into --explain - by guess is that its useful for describing why an authz decision was made - and not so much for what would have been required in the event of failures. Its that manual tracing that is cumbersome - especially at scale...

in my experience (e.g. using SpiceDB at my old company) i'm not typically having to do much of it. do you have a particularly complex schema?

like what's the task you're envisioning?

I haven’t designed a schema yet - but here’s a simple example. Let’s say we are locking down access to specific tables using groups - different group for each table - potentially different variation of the group for read vs write. When you have a large no of tables and large number of users it would be ideal for error message returned to say what group is required for access so the user can self serve. That’s a very simple example obviously.

unless everything is dynamic, i'd expect that you'd know something aboout your schema that would be exposed in your UI. if everything is dynamic, i'd probably strive to keep the schema relatively flat, and provide UI elements like AWS IAM or something like that where it tells the user what permission they're missing to do a particular thing, such that it'd be relatively easy for a user to translate missing permission -> missing role. this was something that we talked about at my last company, but things never got complex enough to warrant it.

I’ll take a look in the next few days. Thanks for responding though!

What are permission spaces? Is that the

<space>/user:<id>

on all resources? Can I use that for partitioning relations in the same database / spicedb instances?

just wanted to say how helpful it is that the tooling allows me to build, test, and experiment with my schema without having to touch code while I figure things out

that's the goal 🙂

Hey team, we noticed the latest

authzed-py

release

1.22.0

might have been broken. I've raised an issue [here](https://github.com/authzed/authzed-py/issues/280). We are currently pinning to an earlier version as a workaround but would appreciate a fix at some point. Thank you!

How to sign up for the cloud service? I'm on authzed.com/cloud/signup but there's nothing on this page besides lita cho from moment telling me how great authzed is

Terrible idea to put the last message in this channel up on the website

At least use the display name and not my discord user name