Hi! I was wondering if anyone has any experience working with tonic and the authzed grpc in rust? I can run permission checks pointing at a local SpiceDB, but get errors when trying to connect to my actual environment. I can connect successfully using the python sdk, so it must just be my exact rust implementation

what error are you seeing against your environment?

Error: Status { code: Unknown, message: "transport error", source: Some(tonic::transport::Error(Transport, hyper::Error(Io, Kind(ConnectionReset)))) }

- it is quite unhelpful

hrmph. do you have TLS setup on your environment?

That's my mistake - I thought I had enabled that feature with tonic (ie. tls and tls-roots) but I hadn't. Apologies for wasing your time a bit

no worries at all! glad we got it figured out

Are there any good resources on best practices for RBAC using Zanzibar? Not technical info, but guidance on designing correct policies, organization, and schema

the general rule of thumb is each role (unless they are custom roles) gets a

relation

representing that role. as for organizations, etc, that's entirely based on your use case

this blog post may also serve of inspiration: https://authzed.com/blog/user-defined-roles/

Hi! I have a use case that I'm wondering if it's possible to express in Zanzibar/SpiceDB at all. First of all, we're a SaaS, let's simplify and say we have a single resource, Report. Our tenants have users, and those can be assigned to (customizable) Roles. (Users have optionally managers, which are other users) Our tenants can create Reports that are isolated from other tenants. Roles are created and configured by the tenant admin, and they can be configured in a variety of ways such as: * Members of this role can View any report within their tenant. * Members of this role can Edit reports that they own. * Members of this role can Edit reports that they own, plus reports owned by anyone they manage directly or indirectly (i.e. recursively). * Members of this role can Delete reports owned by anyone they manage (but not their own reports). Etc etc. In general any role can configure View, Edit and Delete permissions on Reports, orthogonally with the "target": ("only their own" and "only those owned by anyone they manage") A user can belong to many roles as well, so flexibility is maximal. However I'm not sure this is expressible in Zanzibar. Does anybody have an idea on how to model this?

hey there, https://authzed.com/blog/user-defined-roles/ might have some guidance on what you're looking to do. This is definitely expressible, but would be hard to describe in chat without more context and some back-and-forth

I got this error because some relationships were present for the old schema. After removing those relationships I was able to update the schema.

yeah, this is usually the cause. We'll be making the error message more descriptive in the future

How do we “bootstrap spicedb” from the playground file?

👋🏻 you can use any of the following flags:

--datastore-bootstrap-files strings                       bootstrap data yaml files to load
--datastore-bootstrap-overwrite                           overwrite any existing data with bootstrap data

Hi Looking at the API for resourceLookup, do we need a "permission" there? We want to retrieve a list of all resources/permissions for a given subject.

is that possible?

The API tells you "which resources does a subject have access to under a specific permission". Yes, it is required. If you want to retrieve all resources for all permissions, you have to perform one Lookup resources call for permission and resource_type pair

Hi! How can I configure spicedb to use my postgres instance

There is still no possibility to backup easily the authzed.com saas solution? We do not want to build and refactored it with every schema change with the readRelationships API.

do you want to extract the backups? Authzed.com SaaS is automatically backed up on our end

No just in case you stop the service and we can import it into our own spicedb.

in the event that we completely shutdown Authzed.com without a migration to another hosted solution, I would imagine we'd provide a way to download the full dump

FWIW native backups aren't too far deep into the roadmap, but i'm not going to promise timing on software development 😛

Hello! I watched a lot of videos about SpiceDB and Zanzibar and two terms often come up "Leopard Cache" and "Tiger Cache". I looked up on Google but I can't see any meaningful resource about what these are. Do you guys happen to have more documentation about it?

Leopard is a denormalization between nested groups where you can always resolve membership in a parent group with a constant number of steps. There’s a section on it in the Zanzibar paper: https://zanzibar.tech/

Section 3.2.4

Tiger cache is a proposal to generalize that beyond just accelerating group lookups to denormalization of arbitrary problems

Thank you, I guess I'll read it more. Perhaps I have trouble grasping the concept because I can't point to some existing tech such as redis (or )

"denormalization between nested groups" sounds bit like an over-simplification. the paper does not mention how did they solved the "search with permission" problem. I wouldn't be surprised if Leopard also plays a role in that