Hi team, I’m new to spicedb, we are looking for support like user group or resource group, are they natively supported by spicedb or how do I implement them? My scenario is a pretty typical BI scenario (where authorization is a must have feature down to the column level authorization for each user or user group), I have a list of workspaces that each contains a list of tables, within each table I want to specify what user have authorization to what column under that table. So I assume the idea of having column group or user group would help me better modeling authorization using spicedb, or do I have to store those information in my own database? thoughts? Thanks in advance for any suggestions!

I wrote a blog post that might be helpful: https://authzed.com/blog/how-small-is-too-small/

So I used to have a user table, a workspace table, and a userworkspace that saves the edges between user and workspace (and of course, the user role within each workspace), with spicedb, does that mean I can stop maintaining the userworkspace table and completely delegate that to spicedb?

you can! one thing to note if you do that though, is that you will no longer be able to join between user and workspace for complicated queries in your database

oh I see, since we are developing in golang with ent, I guess it still makes sense to draw an edge from node

user

to node

workspace

? but probably let alone keeping a third node

userworkspace

for storing role informations. Since ent is by far the more powerful entity framework in go (it has its basic authorization setup but not as comprehensive) and spicedb is obviously gaining good popularities in its own space, I am wondering if there is any demo applications written in ent and spicedb, I think it would definitely help the adoption of spicedb in go community

hey y'all, did I understand correctly that the default cache TTL is 60s? I assumed one of the nice properties of SpiceDB is that caches can be evicted explicitly because the application controls the lifecycle of the relationships datasets, thus no need for TTLs, and caches can remain in memory for longer.

There is no TTL, we rely on ristretto to evict old unused answers

There used to be a namespace cache with a 60s TTL but that was replaced with the same strategy

I see. Looking at

main

branch,

NamespaceCacheExpiration

is no longer around AFAICT

Right

that aligns with that I expected. It just means our fork is bit old already 😅

Can we help with anything to get your work upstreamed?

Reviewing the PRs should suffice! It's just a matter from our side to dedicate time to upstreaming it, which I'm hoping we can get into ASAP

We are almost finishing load-tests, so we are fairly comfortable with how its working

Out of curiosity what IDE or tool are you using to manage maven? Adding authzed-java should have automatically brought in grpc-stub but I want to check if the client library is missing anything

Hi, is there anyone who used keycloak before? I want to migrate my keycloak permission into spicedb but could not model the schemes. I would like to get some help 🙏

Currently I have resources (buttons, api endpoints) which have scopes (actions) and roles that have access to some resource-scope pairs. I want to model that structure in spicedb.

Do I need to create different definitions for different resources?

Is there a VS code extension for authzed schema?

@emre.savci the standard design would have a different definition for each resource type, with the actions declared under them (as `permission`s) pointing to roles (as `relation`s)

@tonyabracadabra not yet, but there is an issue tracking a language server and we do have plans for a VS Code extension: https://github.com/authzed/spicedb/issues/179.

What is

--dispatch-upstream-ca-path

used for? I assume it's the TLS cert that protects the

dispatch (50053)

port... but is that a correct assumption

Wondering if I can use

cert-manager.io

to generate this and pass through a k8s secret via this flag. Or am I completely wrong and conflating things?

(I'm trying to move TLS decryption from the Network Load Balancer, to the actual spicedb pod/container)

I am curious about having thousands of resources and scopes have any performance impact? Or is it the native way to define this kind of requirements?

The bulk of the overhead will be based on data; having lots of resource types and relations should be fine, although you might want a more dynamic model if you have that many

Hi I have a question on the google group example, specifically what does this mean

relation prevent_post_web: user:* | anonymous_user:*

?

hi @HOPE: it means that a wildcard for

user

or

anonymoususer

can be written to that relation to match any object of type

user

or

anonymoususer

so lets say you have

permission post_web = editor - prevent_post_web

and you write

user:*

to

prevent_post_web

, then it means no

user

can post