Yes. Or a filtered list for the resource level admin. Depending on which user is logged in.

if the goal is to display the full list regardless, a LookupResources will work for both; in the case of the platform admin, so long as

read_all_resources

is "simple" (no intersections or exclusions or caveats), the LR should be (fairly) performant with the single batched hop

otherwise, yes, you'd need to

CheckPermission

if the user is a platform admin and, if so, just list all resources directly

I assume you have either only one

platform

or resources will be distributed amongst those `platform`'s?

One platform. My main concern would just be 1,000,000 results that would be returned for the admin. Since I don't know that was a complete list I would have to try and filter the DB with them, but that would almost certainly be too many.

is the intention to provide some way to filter theses resources by searching, or term, or something else?

or just display a list?

We should assume there will be arbitrary filters as well as pagination.

if that's the case, you might want to instead do the filtering ahead of time against your DB/search index, and then check results, especially if you expect the filtered count to be MUCH lower than the accessible count. long term, we're working on Tiger cache to make this much better: https://github.com/authzed/spicedb/issues/207

That definitely looks interesting. The two calls will work for now, but I'll keep the tiger cache in mind.

I can't seem to invite any users to an organization in AuthZed. They get to the invitation pretty fast but see the attached error.

thanks for the report; will take a look shortly but as a workaround, you can have them login and then add them to the organization by email once they've logged in

Yup that approach works. Thanks!

i know that one of the benefits of ReBAC is that you can model RBAC inside of it

and that's one of the use cases i need to support and i'm having trouble wrapping my head around it - namely that you need some way to determine who can write relationships between roles and entities, and that modeling that using roles seems troublingly self-referential

is there a resource somewhere that walks through how one goes about it?

you can usually accomplish this by having "meta" permissions on the role:

definition role {
  permission can_modify = ...
}

which could point to another role

you just need to make sure you have a "bootstrap" permission to determine who can create roles

yeah, that's the part i'm hung up on

would that go on the user?

is it for modifying the user, or the role?

modifying the role

so usually the role itself then

and adding relations between the role and other entities, whether those are subjects or objects

so you could do

ah hmm

something like a relation of

owner

which is created when the role is created?

yeah