Joey
09/06/2025, 2:26 AMverdverm.com
09/06/2025, 11:17 PM<did>/<space>/[nsid]/<rkey>
)
[full schema](https://github.com/blebbit/atproto/blob/main/packages/pds/src/authz/spicedb/schema/atproto.zed)
I have a resource type for each segment of the segments, with a parenting setup to support nesting/hierarchy, and each AtUri has an associate data record tied to it, except for nsid
. They are only for structuring records and granting permissions, in OAuth scopes today, and content/methods tbd, that's what I'm working on. NSID are defined by any DID, it's a very dynamic list. There are nsid
for queries and procedures that will never have records, but we still want to put permissions over them. Certain nsid
are expected to have high numbers of records and storing the parenting relationship in spice, which seems inefficient?
Are caveats something that can help me here? What if those caveats are large sets?
The new way to specify OAuth scopes over the dynamic NSID is as a permission set
https://github.com/bluesky-social/proposals/blob/main/0011-auth-scopes/README.md#permission-sets
I image we need something similar for the custom roles that we want in the content permission system, and then have to reflect those within spice by making a number of calls, or a bulk input? (maybe one day even replace the OAuth permission setup and unify the two... #futurology)smithp4ntz
09/07/2025, 1:38 AMsmithp4ntz
09/07/2025, 1:40 AMJoey
09/07/2025, 1:58 AMJoey
09/07/2025, 1:58 AMsmithp4ntz
09/07/2025, 2:01 AMJoey
09/07/2025, 2:18 AMJoey
09/07/2025, 2:18 AMsmithp4ntz
09/07/2025, 2:21 AMJoey
09/07/2025, 2:21 AMsmithp4ntz
09/07/2025, 2:22 AMsmithp4ntz
09/07/2025, 2:23 AMJoey
09/07/2025, 2:26 AMJason H
09/07/2025, 2:26 AMJoey
09/07/2025, 2:26 AMyetitwo
09/07/2025, 2:29 AM--explain
flag on zed
calls - it can show you the path by which a user was (or wasn't) granted access. i don't think it will compare it to the entire schema as it's currently implemented - it will only tell you where the path starts and ends.
otherwise my usual approach is to manually trace based on reading the schema and issuing readrels to check hops. this could be a nice enhancement for zed, though.Jason H
09/07/2025, 2:45 AMyetitwo
09/07/2025, 2:45 AMyetitwo
09/07/2025, 2:46 AMJason H
09/07/2025, 7:36 AMyetitwo
09/07/2025, 1:18 PMJason H
09/07/2025, 1:20 PMverdverm.com
09/09/2025, 6:39 AM<space>/user:<id>
on all resources? Can I use that for partitioning relations in the same database / spicedb instances?verdverm.com
09/10/2025, 1:58 AMJoey
09/10/2025, 2:40 AMseanxiang
09/10/2025, 4:37 AMauthzed-py
release 1.22.0
might have been broken. I've raised an issue [here](https://github.com/authzed/authzed-py/issues/280). We are currently pinning to an earlier version as a workaround but would appreciate a fix at some point. Thank you!Mohammed
09/11/2025, 9:40 AMMohammed
09/11/2025, 9:54 AMMohammed
09/11/2025, 9:55 AM