We had a usage question: is it possible to list / search many objects from a database and filter based on authorization? Like suppose I have hundreds of documents and want the user to be able to search only in the ones that belong to him, we're currently wondering how one would implement that best with something like SpiceDB? If all data was stored in a traditional DB, then one could just JOIN the relevant permissions table and filter based on that, but we currently don't see how that would be done with SpiceDB, for example.

1. if the number of elements to authorize is relatively low, you can use

LookupResources

and join with your database using

IN

clauses 2. the upcoming paginated

LookupResources

would allow you to fetch pages of authorize resources, which you can use to paginate your application UI, assuming you don't need specific ordering and are fine with the order coming from SpiceDB (which is deterministic) 3. if none of the above works, then the large-scale solution we have in mind is denormalizing the results of

LookupResources

closer to your application database using

LookupWatch

, see https://github.com/authzed/spicedb/issues/207

@voldemort02 thanks for the speedy and informative reply! Sounds like we understood it correctly then that it is a bit more tricky 🙂 I really like the way the spice permission model and everything looks. We'll hopefully come back to this when we reach the right scale