also full_consistent bypasses the cache

but I imagine the majority of your overhead is crossing oceans

@Joey If I understand correctly , against each definition type we need to store the zedtoken , correct? I actually tried at_least_as_fresh didn't see much improvement. As you mentioned this can be just network latency.

you don't need to do so if you don't mind eventual consistency

but yes, this is likely 90%+ network latency

eventual consistency = minimize_latency option correct ? how much time it takes for eventually being consistent. Do you have any ball park numbers against some data set?

5s

on the user-defined roles, say you have a user that wants to create a role but you want the user to only add permissions they themself have.

definition location {
    relation administrator: user | role#member
    relation devices_viewer: user | role#member

    permission admin = administrator
    permission view_devices = devices_viewer + admin
}

definition role {
    relation member: user | role#member
}

so for example, the user has the

administrator

relation with a location and wants to create a role with the

view_devices

permission through the

devices_viewer

relation, but since they don't have the

devices_viewer

relationship but have the

view_devices

permission, how do we check that the user can grant the role the

view_devices

permission through the

devices_viewer

relation which would ultimately grant the role the

view_devices

permission?

you encode it in your application logic, unless you see yourself have a VERY large number of roles

What do I encode in my application logic?

when the user choses to grant the

devices_viewer

role, write a relationship to that relation

But I want to make sure the that the user doing the granting has the resulting permission,

view_devices

and we know that user only has the

administrator

relation not the

devices_viewer

relation. Would I have to make note in my application the specific relation that corresponds to the permission that can be granted and then I can check if the user has that permission before creating the relation with the role? Would that be the encoding in my application?

if you want to make sure the granting user has the permission, then check it

it should be a simple map from role to permission

Thank you for your feedback. 🙂

ok, thanks

we do recognize that this is a bit annoying to encode in the application, which is why we have reflection APIs coming too

If you have an

organization

and can create roles for it and assign any permission on any resource in the organization, with a direct or indirect relationship with the org, to the role, would that require updating the ZedToken on the organization every time any relationship is updated/written so the role can have the most up to date permissions when checking? In that case is that pretty much just having one zedToken and using it everywhere?

only if you absolutely, positively need full consistency; the majority of the time, you do not

clarification on the eventual consistency. Is it that the service will always be up to date every 5s? Is it configurable? I don't see it in the options of

spicedb serve

its that the cache will be used for ~5s; its the size of the quantization window

got it

Hi, we are struggling trying to model our authz system, having the following components: User -> (John Doe, Mary Blee) a user can have different roles on different Region/Location. For example, John could be SalesManager in Italy, and Accountant in Hungary and ITSupport in LATAM. Region -> (APAC, LATAM) groups administrative locations. A user can have a specific role to an specific Region. Location -> (Italy, Hungary) the resources belongs to locations. Role -> (SalesManager, SalesClerk, Accountant, ITSupport) a role groups the permissions over the different resources. Resources -> Orders, Bills.. etc.. Scoped to locations. Our main issue is how to establish the relationships between user:John and role:SalesManager in Location:Italy. Please, could you help us on this?

I'm not exactly sure how to intend to map roles to their permissions, but if they are predefined, you'll want something like:

definition user {}

definition region {
  relation sales_manager: user
  relation sales_clerk: user
  relation accountant: user
  ...
  permission edit_order = sales_manager + accountant
}

definition order {
  relation location: region
  permission edit = location->edit_order
}

ReadSchema

returns the schema as a string, is there no way to get a parsed version of the schema, where we can easily get the definitions or permissions defined in a definiton, or do we have to parse the schema ourselves?

currently, no. we have proposals for a reflection API: https://github.com/authzed/spicedb/issues/613

So is the best course now to explicitly link the definitions with their permissions in the application?

yep

alright, thanks

Hi, I would like to know if you have a practices / ideas to check if the data inside spiceDB is synchronize with the logic database. For exemple, I have mongoDB contains the description of a group and un micro service authzed which check the authorization. I want to be sure that the data is well synchronized