Hello, I'm wondering if anyone uses spicedb to authorize access to spicedb read/check/write APIs. I've got a small service that wraps spicedb/authzed but exposes the same/similar gRPC API and I'm considering how I might authorize access to it (our authz service) from other services in our ecosystem.
Other services need to write relations and check permissions and they would be using an access token with a "sub" claim that matches their identity (client id).
Does it make sense to model the read/check/write etc. API permissions in spicedb so that a middleware could authorize the request?
Maybe with a basic schema like this
definition authz {
// roles
relation reader: subject
relation writer: subject
// permissions
permission check_permissions = reader + writer
permission write_relations = writer
permission delete_relations = writer
permission list_relations = reader
}