Thank you, looking into caveats now

let me know if you have any questions

Caveats look good. We will possibly do a POC on Jan before going all in. Joey, thanks for your help.

Hello, A quick question regarding the timestamp logged in SpiceDB for each tuple updates , is there a retention period for which the transaction logs are retained in DB ? Any way to query any specific relationship tuple based on timestamp / time range within which it was created ?

The retention period is based on the datastore type used but is generally a default of 24 hours

Time ranges are not supported for querying

the time stamps used for relationships are internal implantation details of the datastore

What would be your reason for querying by time stamp?

Hi folks, what would be the best way to represent properties of a object? for instance I would to represent the fact that a organization is a contract owner and users of the orgs can only view the resources under that org if the org is the contract owner. I could represent with a recursive relation to itself but somehow doesn't feel right

In the following example:

definition user {}

definition folder {
    relation reader: user
    permission read = reader
}

definition document {
    relation parent: folder

    permission read = parent->read
}

lets say that I want users to have

read

permissions whenever a document does not have a parent_folder. What would be a nice way to go about this? I guess this is another instance where the intersection arrow would come in handy. A possible solution could be:

definition user {}

definition folder {
    relation reader: user
    permission read = reader
}

definition document {
    relation parent: folder | folderless

    permission read = parent->read
}

definition folderless {
    relation reader: user:*
    permission read = reader
}

but it feels a bit off, since there is no way to guarantee folder and folderless are mutually exclusive. Does anyone have some tips or ideas on how to solve this?

Hi @LarsRan ! I believe you can solve this with the exclusion operator. Checkout "Example: Exclusion" here https://authzed.com/blog/check-it-out-2/

Using just intersections and exclusions I can get to the following

definition user {}

definition folder {
    relation all: user:*
    relation reader: user

    permission not_read = all - reader
}

definition document {
    relation all: user:*
    relation parent: folder

    permission read = all - parent->not_reader
}

This would give me what I want (if a document can have at most one parent). But it still feels a bit off

Thanks for the link though!

But maybe you know of some ways how to improve on this schema

Hi @costap - I believe this is what you're looking for

definition user {}

definition organization {
  relation member: user

  permission view_all_contracts = member
}

definition contract {
  relation owner: organization

  permission view = organization->view_all_contracts
}

Using just intersections and exclusions

Hi costap2585 I believe this is what you

You can guarantee that folder and folderless are mututally exclusive with preconditions

Hmm, that sounds interesting! I am going to look into that

The use case would be, like get me all role assigned to a user which are over 3 months old ? I would like to re-assess those

Any view on this ? thanks.

What situation causes the Watch stream to get 'cancelled'? Is this something happening in SpiceDB code or a problem at some other layer (grpc or network)? have a listener on a watch stream in my node app, but arbitrarily, the stream cancels itself (haven't been able to find a pattern yet, can happen in the middle of API calls or even if the server is just running idle) Example payload in the

data

there

Good Morning, may I ask for some help on how to model our permissions system as I don't really know how to model it in Authzed? We have documents that have restricted parts: "title", "intro", "agenda", "summary", each client (users) can be granted access to some or all of those parts. Our clients belong to a company, but within the same company the permissions can vary form user to user. Also for a given user the permissions are not the same across all documents. I guess we really need a 1:1 relation between user and document permissions? The only way I could think of modelling this is using relations as permissions, but it feels hacky. Another option would be to create all the permutations of those permissions and assign each one to a relation, then add the user to the relation that contains the permissions that match the user, but adding new permissions would mean reshuffling the users etc. Any suggestions?

Has there been any update regarding the performance issues on 1.14.1 I encountered in this thread? In particular the CPU consumption issue https://discord.com/channels/844600078504951838/844600078948630559/1046395550972526632 I'd love to be able to upgrade, as there's 2 bugs that have been fixed in this version :/

In addition, I found a performance issue of the GC, details in thread!

I'm looking for a way to process schema files for code generation. I've created a utility that takes the schema and converts it to JSON. It would be really helpful to have metadata on the different parts of the schema. Is there anything like that in the works? Right now I am embedding metadata in comments, but it would be really helpful to have a first class way of doing this.

@vroldanbet I've started a change for https://github.com/authzed/spicedb-operator/issues/113 in https://github.com/ensonic/spicedb-operator/commit/cadc2916e7a8f9a9181b6480feb540a1587ea79b . Do you know what logic determines wheter the gateway is run (httpTLSKeyPathKey & httpTLSCertPathKey)?

this could be due to a number of factors, but as a watch client, you should always reconnect and resume from where you previously left off if you get a canceled error

are these permission pre-defined, i.e. there will always be permissions like

write_title

,

read_intro

, etc? or can they be more dynamic?