https://authzed.com logo
Powered by
spicedb
  • l

    luke

    02/09/2022, 10:08 PM
    our top two editors are vs code and vim i believe
  • j

    Joey

    02/09/2022, 10:09 PM
    so the playground actually has a monaco definition for its syntax highlighting, but it isn't OSS
  • j

    Joey

    02/09/2022, 10:09 PM
    if you don't mind, file an issue in SpiceDB for a LSP?
    j
    e
    • 3
    • 3
  • j

    Joey

    02/09/2022, 10:10 PM
    its been something we've been considering for a while
  • l

    luke

    02/09/2022, 10:13 PM
    will do, thank you! the issue should be for a full language server implementation rather than just syntax highlighting?
  • e

    emigm

    02/09/2022, 10:13 PM
    Would you help me with this: 1. Given object 
    Type:1
    and subject 
    Type:2
    2. Object has the permission to 
    tag
    subject iff object was created after subject I'm having trouble modeling these timestamp-based scenarios into 
    .zed
    relationships
  • j

    Joey

    02/09/2022, 10:15 PM
    @User yep
  • j

    Joey

    02/09/2022, 10:17 PM
    @User permissions that rely upon items such as time are considered "dynamic" and are not easily calculable using SpiceDB as it stands today. We have a proposal for an idea called "caveats" that would allow you to express these kinds of permissions: https://github.com/authzed/spicedb/issues/386. If you like, please add your use case as an example
  • e

    emigm

    02/09/2022, 10:18 PM
    Looking into it, thank you
  • v

    vad

    02/10/2022, 9:12 AM
    I'm not sure you can do both with LSP, at least in vim. In neovim we're now using treesitter for syntax hightlighting
  • p

    phroggyy

    02/10/2022, 1:25 PM
    with regards to managing permissions through "teams", e.g "this role within this team, should have access to all orders related to the team", would it be correct to model the team as a resource, with each role being a relation, and then have the resource have a relation to the team, with a "global" permission on the team. E.g something like this 
    definition user {}

definition team {
    relation account_manager: user
    relation sales_director: user
    relation member: user

    permission view_associated_orders = sales_director + account_manager
}

definition order {
    relation team: team

    permission view = unit->view_associated_orders
}
  • p

    phroggyy

    02/10/2022, 1:27 PM
    And does Spice have an easy way to list "these are all the users associated with a team"? I assume that's through 
    ReadRelations
  • p

    phroggyy

    02/10/2022, 1:30 PM
    Or would it make sense that I make every user a "member" and assign additional roles for the others
  • j

    Jake

    02/10/2022, 1:34 PM
    I think you want to start your permission at the order
  • j

    Jake

    02/10/2022, 1:35 PM
    So order would have a relation to the team managing it
  • j

    Jake

    02/10/2022, 1:35 PM
    Then your 
    view
    permission could apply to the people on the team with a specific role
  • j

    Jake

    02/10/2022, 1:36 PM
    view = team->sales_director + team->account_manager
  • p

    phroggyy

    02/10/2022, 2:47 PM
    @User yep, sorry, business unit is what it was called, I forgot to rename in all the places before posting 😄 team seemed a more generic term everyone would be familiar with
  • p

    phroggyy

    02/10/2022, 2:47 PM
    Can permissions go from inherited roles? From the docs I interpreted it as only working for inherited permissions
  • p

    phroggyy

    02/10/2022, 2:47 PM
    That's why I introduced the 
    view_associated_orders
  • j

    Jake

    02/10/2022, 2:48 PM
    oh ok, yeah you can point to either a relation or a permission on the right side of an arrow
  • p

    phroggyy

    02/10/2022, 2:48 PM
    ah gotcha! Yeah then that makes total sense
  • j

    Jake

    02/10/2022, 2:48 PM
    you can only use a relation on the left hand side of an arrow though
  • p

    phroggyy

    02/10/2022, 2:48 PM
    definition user {}

definition business_unit {
    relation account_manager: user
    relation sales_director: user
    relation member: user
}

definition order {
    relation unit: business_unit
    relation creator: user

    permission view = unit->member
    permission update = unit->sales_director + creator // a director can always update orders, and so can the person who originally placed the order
}
  • p

    phroggyy

    02/10/2022, 2:48 PM
    along these lines then
  • p

    phroggyy

    02/10/2022, 2:49 PM
    is there a way to constrain it such that the 
    creator
    at the time of checking 
    update
    must be a part of the business unit?
  • p

    phroggyy

    02/10/2022, 2:50 PM
    so 
    creator == unit->member
  • j

    Jake

    02/10/2022, 2:50 PM
    yeah you can use an intersection
  • p

    phroggyy

    02/10/2022, 2:50 PM
    I suppose really that's just an intersection with 
    unit->member
  • j

    Jake

    02/10/2022, 2:50 PM
    yep!
1...848586...325Latest