SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi, I'm trying to model a hierarchy of folders where any `folder` can be assigned to a user - who then has the `can_manage` permission on it and all descendents. Pretty standard stuff, but the quirk is that an assignee should  remove permission from any assignee made further up the tree. I have this schema - 
```definition user {}

definition platform {
    relation default_assignee: user

    permission can_manage = default_assignee
}

definition folder {
    relation parent: folder | platform
    relation direct_assignee: user

    // this permission should traverse to parent->can_manage only if direct_assignee relationship is empty
    permission can_manage = direct_assignee + parent->can_manage
}

definition file {
    relation parent: folder

    permission can_manage = parent->can_manage
}
```
 ( https://play.authzed.com/s/mPTg5isqHSCb/schema has this, test data and assertions for the desired behaviour).
I'm stumped on how to express `folder.can_manage` - '+' isn't right. Any hints gratefully received 🙂