Hey @yetitwo , I just found this 2022 message of yours 😆 Did you manage to setup the zed validate within circleci? I'm having some trouble doing so

Hey all, are the official client libraries only usable if we use the hosted solution or can we use them to connect to a self-hosted SpiceDB instance? Looking at the initializing client section it says you need an "API token from the Authzed dashboard" if the client library only works with hosted, what's the recommended way to interface with a self hosted spicedb instance? https://github.com/authzed/authzed-node

Hello, we need some use-case/schema modelling assistance - We're trying to model a sort-of-attribute-based authz with our existing SpiceDB Schema. We looked at the ABAC guide here - https://authzed.com/docs/spicedb/modeling/attributes and while it would work for some of our cases (not all), it seems like the recommended way to do it is via Caveats. We need to be able to give permissions to a resource(A) in a few ways 1. Only if a 'setting' is enabled in a related resource(B). 2. Only if a certain condition (ideally sent in the caveat context) in the related resource(B) is true The problem we're running into is that caveats seem to be defined only against relations and not permissions. With that constraint, we cannot use the same relation across multiple permissions, only some of which might require that caveat. I've made a small reproducible schema with comments on what we're stuck on - https://play.authzed.com/s/C2CfvNEhS2mj/schema Any help/alternative ways to achieve what we want would be highly appreciated!

Hii.. we have been struggling for a while with latency and haven't been able to solve it. At the beggining we thought it had to do with our schema, but even when it does a direct relation check it is still slow. Is this expected? Looking at our pods, both of spicedb and postgres there is no CPU or memory issue. Would love any help or tips

js
✓ issue:23246 view (220.908873ms)
├── ⨉ issue:23246 n_cc (2.714128ms)
└── ✓ portfolio:2 view (170.977547ms)
    └── ✓ portfolio:2 admin (162.245418ms)
        └── ✓ tenant:1 is_admin (149.084628ms)
            └── ✓ tenant:1 super_admin (139.782078ms)
                └── ✓ role:super_admin_1 neighbour (23.867279ms)
                    └── neighbour:15

Howdy, is there any way to split the definitions of permissions in the schema.zed file to multiple lines? We've got a few lines that are getting very very long

yes, it follows the same rules as Go: make sure to put an operator as the last item on the previous line

awesome, thank you! I was putting the operator on the next line

Hello, I have a question regarding schema definitions and user defined roles, been reading the [article](https://authzed.com/blog/user-defined-roles) about user-defined roles, but I does not really fit my example as I want to have the predefined roles int the schema itself. I have a system that has users that belongs to orgs, apps that belongs to orgs and users can have roles over apps, viewer, editor admin. The available permissions for these predefined roles are. - admin: create/delete/view/edit - viewer: view - editor: view/edit. I would like to provide custom roles at the org level. I have came up [with a solution](https://play.authzed.com/s/6tI77U6bCyxb/schema) that I think works good, but given that I am pretty new to this, I am unsure whether I am doing something totally wrong What I do is I define orgs/app/users as definitions and also a new one called

custom_role

, where I define the organization relationship, and also 'self relationships' one per 'permissions' in apps. With this in-place I just need to add these custom_org permissions from orgs to the calculation of app permissions, is this correct?

Just a heads-up, on Dec 10th we have a SpiceDB Live session where @yetitwo demoes a new open source

spicedb-parser-js

. We also have Atikur who will demo a UI he built for SpiceDB called Lens. This will be right here in Discord: https://discord.gg/RGCKZQQz?event=1443309664275136785

Hi guys! What's the status of getting a new version of the operator released? 🙂 It's currently trailing by quite a few versions!

Hi all, we're running some operations on spicedb in a script which is lightly hitting the service to set up some relationships. We run this script and everything goes well until we randomly get "403 unauthorized" errors when calling spicedb. This happens on read and write calls, I don't see a consistent set of records it's choking up on. Any idea what the issue may be or where I should investigate?

Thanks for having me today! Had a great time demoing SpiceDB Lens. Would really appreciate it if you could give it a try and share any feedback - always looking to improve! https://www.spicedblens.com/download

Hi folks, we're going through https://authzed.com/docs/spicedb/concepts/expiring-relationships and noticed the newly recommended

<type> with expiration

delegates value of

now

to the underlying data store. About this: > It requires clients to provide the now timestamp. This is additional complexity for clients. Conversely, client-side provision of that value is crucial to our systems. We use TimeProvider abstraction in .NET that serves as the central source of truth for time, meaning we always override data stores' internal clocks by explicitly setting time columns/fields. Our TimeProvider is backed by different sources across projects, but what's important is that the app decides what

now

is, not any of the data stores or other infra. So we've skimmed and weren't able to find any notes on this: if specifying

now

for

<type> with expiration

is planned, unplanned or outright technically impossible to implement even in the future. If anyone could advise please. Thanks.

Hello all ! I have a schema in which I have a recursive relation : Parent I also have a relation "secured" that is partly calculated on that parent relation. the issue I have is when I get to the top item, that has no parent. is there a way to add a condition in the permission to not go further and ignore the permission check on that root item ? here is a schema definition conaitning the idea :

definition workspace {
    relation parent: workspace
    permission secured = parent->secured & other_irrelevant_perm
    permission other_irrelevant_perm = <the other permission checked at each level>
}

is there a way to ignore the `parent->secured`if

parent

has no relations ?

you'd have to use a union with

parent->secured

to something like "all users" or a wildcard on the "root" workspace

there isn't a way right now to do a "conditional" intersection

but if I add a union on the parent->secured and a wildcard, the wildcard will always be true, so the parent->secured will never actually have any impact no ?,

oh, you mean that wildcard would only bez true for the root workspace ?

yes

👋 hi everyone, I’m curious whether anyone has experience with what is the most scalable of two approaches. For a definition, we have a relationship that determines whether a resource has been made sharable. If not set, it’s private. We now need to be able to display whether the resource is private in the UI. The two options we are considering are: caching the sharable state in the DB so when we load the resource we already have all the data we need to display it and we just need to do an access check on SpiceDB. This requires that we keep the DB and SpiceDB in sync. Or, we can add a second call to SpiceDB to check whether the relationship is there and augment the results we get from the DB. We’ll need this for both querying for a single resource as well as querying for a list of resources.

Regarding this warning about LookupResources: "with a sufficiently large relation dataset, a sufficiently complex schema, or a sufficiently large set of accessible results, you’ll need to take a different approach." What relations contribute to the 'relation dataset' being large in this context? Just data connected to this principal, or also data in entirely separate graphs?

Hi. New SpiceDB learner here and something caught my eye that doesn't align that maybe someone can clarify. It says here that you can't reference permissions in relationships. https://authzed.com/docs/spicedb/concepts/schema#subject-relations but in the playground you write relationships to test assertions and the documentation is referencing permissions in the relationships, not relations. https://authzed.com/docs/spicedb/modeling/developing-a-schema#assertions. For example, it shows "#view" in what appears to be a relationship assertion, but "view" is a permission in the schema it's testing. Are these playground assertions verifying permissions just using the same format as relationships but not really relationships? Thanks!

Replying here just to keep in record - The correct config should be enableExperimentalRelationshipExpiration: "true"

Hi! New to the community here. I was wondering if there are any issues with having a cyclical relationship We have a use case where we are trying to allowlist the members of certain channels for certain SKUs. In our application, we will do some LookupResource request to get the SKUs that a person can see. Our schema looks something like

definition example/channel {
    relation admin_members: example/admins
    relation user_members: example/users

}


definition example/admins {
    relation channel: example/channel
}

definition example/users {
    relation channel: example/channel

}


definition example/skus {
    relation allowlisted_channel_members: example/channel#admin_members | example/channel#user_members

    permission view_sku = allowlisted_channel_members

}

Is there any issue with having a cyclical relationship like user->channel and channel->user? Is there maybe another way to structure this to avoid having the channel->user & channel->admin relations?

if you are using SpiceDB v1.46.2 or newer, you don't need to pass that flag anymore, as relationship expiration is on by default

Use at your own risk 😉 Exploring SpiceDB now for my IT+AI platform and I wanted to just get it running natively in my dev environment without needing to run Docker - my app already spins up and manages it's Mongo and Valkey instances locally without it. I figured I'd have a go (see what I did there?) at adapting SpiceDB to use Mongo considering it's got transaction support and realtime updates via Change Streams which were probably missing when the Authzed team was working on early datastore support. Ran a bunch of tests and it appeared to work, but I'm only on day 2 with SpiceDB having not yet gone beyond feeding it a bare schema. Won't be used in prod of course (Google Spanner or Cockroachdb there) but figured someone might get some use out of the commits.

And who knows, maybe it will be good enough for production - I'll get back to running load tests and integration tests against it again in a few weeks. Might be worth seeing if anyone at Mongo wants to take this on more seriously to get their DB added to SpiceDB's supported database list. And I have to hand it to Claude - worked with him all day long to get this done lol.

Hello! My name is Niv, and I’m a new user of SpiceDB 😊 I’m interested in using LookupResources and LookupSubjects. For robustness, I’d like to use cursor-based pagination. I saw in the documentation that cursor pagination is not supported for LookupSubjects. However, when I looked at the internal interfaces in the code, it seems like it is supported there. Is this a mistake in the documentation, or am I misunderstanding something? https://cdn.discordapp.com/attachments/844600078948630559/1452316263354466367/image.png?ex=69495e6b&is=69480ceb&hm=6d9edacba6e86c87cdc8ee691b694c0610aed465de367cb2041e97e6700ec57f& https://cdn.discordapp.com/attachments/844600078948630559/1452316263568248996/image.png?ex=69495e6b&is=69480ceb&hm=6356c63745941f415da2083b8b34bbcb56d5b9a5ff1002f0c6a2914763ef4eac&

Hello, I have a simple (hopefully) question : in the doc, prefixed relations are shown with a

/

(

definition docs/document {}

). in our current schema, we use prefixes with a

_

seperator (so

definition docs_document {}

). is there any actual difference to that ? and should I migrate before the schema is too widely spread to allow that ? (currently, one application uses it in a prod environment, and one is currently being worked on, we expect to have at least 5 different apps using the same schema in the future.)