I'd just document that they return promises

meaning that they can be called with an await

whatever

got my use-case working

hi! does anyone have any pointer to how you handle controllede schema evolution across environment? (think liquibase but for the spicedb schema)

can you clarify your question?

Is it expected that doing a single level graph walk in a permission check should be taking anywhere from 100-250ms? A direct permission check is taking less than 10ms. I'm using spanner as the backing database.

are you walking over an arrow?

Yeah.

how many subjects are in the arrow's relation? if it is quite a few, then it can take some time to dispatch

Hey everyone, I have a use-case where I want to get all the relations a subject-Id has with an object-Id since I see in the lookup API we have an api to get all the object-Ids a subject-Id has with a specific relation, is there any way to get the above scenario as well, other than creating my relations as objects, since that creates some other issues. To be more precise in my use case: For my application where I have multiple roles and multiple features and each role has a different access on a feature, which in turns can give me a result that a user with a specific role has access over a feature. features := []string{"f1","f2"} roles := []string{"r1","r2"} features /roles r1. r2 f1. {"view","delete"} {"delete","edit"} f2. {"view"} {"delete"} features_role_rights_array := [][][]string{{{"view","delete"},{"delete","edit"}},{{"view"},{"delete"}}} Now Say a user with id user-1 has a role r2, I want to see over a feature what access does he has? Is there any way to get this information? I have tried this kind of configuration: These are Google Zanzibar Representations: features:f1#view@(roles:r1#member) features:f1#delete@(roles:r1#member) features:f1#delete@(roles:r2#member) features:f1#edit@(roles:r2#member) features:f2#view@(roles:r1#member) features:f2#delete@(roles:r2#member) roles:r2#member@user-1 Now in order to get my query I am not able to get the details of accesses user-1 has. Is there any way to get this information? Please let me know if you need any more details around this.

hi everyone, apologies in advance if this is not the appropriate forum to post my question.

list all permissions a subject has over a resource

hello, i am using

lookupSubjects

API to get a list of subjects with access to a particular resource. It is working, and I get the list. However, the list entries are in the format, where only object id value is immediately useful as:

{
  subjectObjectId: '2',
  excludedSubjectIds: [],
  lookedUpAt: { token: 'GgQKAjMx' }
}

I understand that "expand" API might be available to get the types of permissions for each subject. Please point me to an example. Further, if possible, I would rather combine lookup with expand, instead of running an additional query for each subject. Suggestions?

Hey @Igor.Shmukler I don't think I fully understand your question. Mind indicating what are you trying to achieve?

@vroldanbet sure, i want to know the type/name of the

relation

between object and subject

I see. Here is the thing, a given

permission

is likely to be the result of traversing the relationship graph.

Expand API

shows you that graph: it shows "how" subjects get a specific

permission

over a

subject

. The result is a graph.

in that case, it seems that the easiest way to get what i want would be: 1. call lookup subjects to get a list of IDs 2. check each ID as to whether the subject has access to each specific

relation

type and using a call per

relation

build something like

{read: true, write: true, execute: false}

Right?

@vroldanbet ^^^ ?

If im not mistaken you should be able to do that with expand, except it by defaults shows all subjects, not just one in specific

I'm not sure if expand allows filtering for a specific subject, let me check

thank you. if there was a way to batch these somehow, it would be awesome

why not using expand directly instead of lookupsubjects? I think it gives you what you need, but you'd need to traverse the resulting graph in the clientside

i would love to use expand directly or anything else

could you please point me to an example

as to why - i don't know much about SpiceDB

what client are you using? node?

yes

unfortunately we don't have an expand example as far as I can tell, and I'm not the right guy for node questions 😅: https://github.com/authzed/authzed-node/blob/1e31ccdd39ab68a909d807b6253def671461c605/src/v1.test.ts I think @Joey or @Sam can help you out when they start their days. @Sam would it make sense to add examples of the various RPCs in https://github.com/authzed/authzed-node/pull/38 ?

here are the docs of the Expand API: https://buf.build/authzed/api/docs/main:authzed.api.v1#authzed.api.v1.PermissionsService.ExpandPermissionTree I think following the same reasoning on how other types of requests are constructed you could infer how to do Expand ☝️