subject relations point "down" in the sense that they basically include any users/subjects found within that relation

so for example

if you have

relation viewer: group#member

you're indicating that the member of a

group

are the

viewer

, rather than the group itself

in here:

relation permission_set: role#permission_set

    permission read = role_holder & permission_set->read_site

you'd likely use

relation permission_set: role

, because arrows (

->

) ignore subject relations

and would i need to define the permissions at each level, or is there some way to walk multiple levels to get down to a permission?

like the syntax i started reaching for was

role#permission_set#permission->read_site

, with the idea that the # is "walking" those relations

but that doesn't seem valid

You’d define permissions in each type and then arrow to them

Is there a way to turn off the watch API through CLI flags? I'm seeing high CPU usage by a query that seems to be run through the watch functionality (leading to constant spikes in the postgres CPU) with pretty high avg latency per call

I have another design question consider

Hey 👋 say you are providing a multi tenant platform, where some (100 to 1000) tenants (organizations) are on as "customers", and you want to use authzed as a way to provide access management from platform level over control plane level to data plane level, so use cases range from "as a platform support engineer for customer X, I need to be able to access (a subset of) X's resources when on-call" ("platform") over "as a service provider of an SaaS solution, I need to be able to set fine grained access permissions around provisioning of my service X for different customers" ("control plane") to "as a service provider inside an org, I want to use authzed as access management solution on the data plane for the users of my service." ("data plane") Other requirements are, that users could be tied to multiple tenants, e.g. user has extended rights in their "home" tenant X, but only reader rights when accessing a service tenant Y provides. To be tied to a tenant should not say anything about access control in the first place (white-listing). Hope this makes somehow sense and some people are willing to discuss a possible model for this 🙂 I've seen https://github.com/authzed/spicedb/issues/204 and understand that instance per-tenant is most secure, but somehow I am not sure it works together with the requirements of "a user can have relations to more than one tenant" and the platform level use cases.. before this gets too long, let's see if anyone has any hint how to model that, because it feels huge for me atm 😉

Supporting Multi-tenant Use Cases · Issu...

got it. thanks!

just wanted to check in if there were any plans to opensource/release the vscode extension (i believe the playground uses similar underlying architecture?) supporting syntax highlighting, intellisense etc? I was starting work on this and made some headway but didn't want to continue in case there were plans to release the one that's available on the playground

Hi! I wander if there is a way to model a something like exclusive ownership. For example: There are 2 groups of clients (A and B). In case of client belongs to A etheir B group - it can be edited by users related to either A or B group. But in case of client belongs to both groups - it must be editable only for B-group users. Is it possible with pure ReBAC, or I need to wait for caveats?

Hi, I was wondering if in the future wildcard relations will be allowed to be used on the left side of arrows? Thanks

unlikely; the semantics of a walking over a wildcard are not well-defined. how are you hoping to use it?

Ahh ok. I was hoping to use it to block certain types of users from a list. Thanks for replying

how about this? https://play.authzed.com/s/bcUxo7eZOutm/schema

Hi there everyone 👋 . I am looking into options for securing my web project. I've come across SpiceDB and I find the concept really interesting. I have one question regarding "reverse permission lookups". I have noticed that in the documentation there's the assumption that I will do something along the lines of

zed push /blog/post:1 read@rachel

(sorry if I got the syntax wrong). Is there a mechanism to list the posts that Rachel is allowed to read? If not, what mechanism should be used to generate lists like that?

Oh. That's great. Does it support any kind of cursoring? Say I wanted to list the private conversations of a user and they happen to have thousands.

not yet; there is an issue for adding cursors/pagination

Hi I wander if there is a way to model a

looks like it, thanks!

I just found it and noticed that it mentions that the idea is to replace it with streaming. I am unsure what you guys mean by that. I only know streaming in the context of files / HTTP responses, but I'm assuming this is not what it refers to.

we'd still apply cursors, even if/when we make it fully streaming

gRPC supports streaming natively