Hi there again, I'm still looking into SpiceDB to integrate into my app. I've come to another point where I am not sure how I would do it in SpiceDB / Authzed. So maybe somebody can give me a hint. I have two questions here: 1. I am migrating to JWT, so some of the information what privileges are given to the user partially come from the identity provider. AFAIK if I had a normal schema I would (for example) have an

application

resource with an

admin

relationship to the

user

. Now, in my case the

admin

role is provided by the JWT token containing a

groups: [admin]

claim in the signed JWT, which tells the application that the user is a system administrator. Do I have to synchronize the user roles from the JWT into SpiceDB on login / every request for the application or is there a way to provide something like context to SpiceDB when querying it? 2. If implementing SpiceDB among microservices / different applications, would I rather have a single SpiceDB with something like namespaces or just have one per application?

1. i'd recommend eventually migrating everything to a single source of truth - get it out of the JWT and into SpiceDB. only use the JWT for authn, not authz. 2. in our system we decided to model domain objects in our definitions, and keep a single notion of the domain object across the system. no namespacing, no separate instances.

1. The single source of truth is the jwt. I just need to either import the data into spicedb or be able to feed it into the queries. 2. That would imply that the applications are aware of the permission model of the other applications. In my case that's not an option.

for the first, it'd probably be about caveats, then

I'm fine with caveats, I just wanted to make sure I'm not missing anything i documentation. About the second. If my applications have a similar resource with different permissions, they would generally overlap. I'd assume that's where a namespace would come in handy. For example, in my case we have applications that have different permissions on tagging content. Some allow community contributed tags, and some don't. That would mean that a post.add_tag permission would generally risk overlapping among the different apps.

👋🏻 hey, SpiceDB is inspired after Zanzibar, and a core principle of the system is its ability to defeat the new enemy problem by understanding the lifecycle of the data used by authorization decisions with strong consistency semantics. So storing the state of the world to SpiceDB/Zanzibar is a fundamental mechanic to its design. The JWT does not seem like the source of truth here, but the Identity Provider that emitted the token, unless I'm missing something? In fact nothing prevents an administrator to remove the user from the group and your JWT would be already stale - that's the type of thing that SpiceDB prevents. With that' said, folks have signalled that something like Directory Sync / SCIM would be useful to feed SpiceDB such information. It's not in our priority list for now. We certainly think using JWT claims and feeding that into SpiceDB Caveat Context is an excellent use-case (see https://authzed.com/blog/top-three-caveat-use-cases/), but is not exactly what you are describing here.