Good time of the day! I'm new here, so first of all, let me say that I've been playing around with SpiceDB and it looks like this is just what doctor has ordered for the pain of managing permissions. Now to get into the issue that I am trying to solve - In my application I have following hierarchy:

Worksheet 
  Stage
    Step

Basically Worksheet has many Stages and Stage has many Steps. I've represented this in SpiceDB the following way:

definition user {
       }

       definition worksheet {
           relation viewer: user

           permission view = viewer
       }

       definition stage {
           relation worksheet: worksheet
           relation viewer: user

           permission view = worksheet -> view + viewer
       }
       definition step {
          relation stage: stage
          relation viewer: user

          permission view = stage -> view + viewer
       }

In other words, if I have access to worksheet, then I have access to all the stages and steps There are really two questions - 1) Say I have access to Worksheet, but I wanted to block a specific user from accessing a step, what's the best way to achieve that? 2) One of the indications in the app that we currently use to figure out wether or not to show a Worksheet is - Does a user have a view permission on a step? Do I need to create a relation entry of user on a Worksheet every time if I wanted to query all Worsheets? Or should I set up some sort of reverse hierarchy to achieve this?