SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

roughly, although if you wanted the name of the group to be "banned" it would be a little different

one sec and I'll put together a playground example

here you go: https://play.authzed.com/s/MXrd7rqwIUBO/schema

you can add and remove this relationship: `usergroup:banned#direct_member@user:an_engineer` to see the effect

So say I have `user:Bob#has@attribute:disabled` to indicate that we've turned off Bob's account access. I'm now trying to write the permission that excludes disabled users from accessing data. `permission write = owner->act_on_behalf - ???`

What would go in `???`? You can't specify a _known object_ in the schema language

correct, you would have to bind that disabled attribute to the object from which you're dispatching

oh. and for every object add `object:id#disabled@attribute:disabled`?

if you you want to handle it at the platform layer, you could bubble it up to an overarching object from which all other objects are descendants

then you could do something like:
`relation platform: platform`

and on the platform:
`relation disabled: attribute#has`

and then do
`object:doc#platform@platform:yourproductname`

and then:
`permission write = owner->act_on_behalf - platform->disabled`

then you just need to write one relationship between the object and platform and you can handle any number of attributes

we also commonly see the `platform` object for things like super admins

you're welcome, let me know if you get stuck and I would be happy to help!

And just clarifying, when I do this: `relation account_manager: account#manager`
in tandem with a concrete relationship of `user:user_id#account_manager@account:account_id#...`, then all users that are marked `manager` to account `account_id` are marked as account managers for user `user_id`?

yes except that for the concrete relationship you need to end it in `#manager`

or you can make it:
`relation account: account`

and then in your permission just do:
`account->manager`

And if I'm reading the docs right the thing that comes after `#` in the relation definition can be a computed permission?

yes and yes, although we've basically deprecated the `...`

you can just leave it off of relationships in the playground

<@!802245842077483029> I'm working on a simpler schema here https://play.authzed.com/s/dDZw0M4NEHrZ/relationships Where there are app, users are players of app and app can have consumer relationship with api. I now want to ban a specific app's player from access the api but couldn't find a relationship syntax that work

basically app are given access to api. and that'd give all the app's player access as well unless that player has been specifically banned