Is there anyway, we can define OPA like policy in SpiceDB ? In many legacy application, they might not want to share data (relationship data) with one more system, for such legacy application, what is recommended pattern to apply data Authorization ?

SpiceDB supports ABAC policies via Caveats: - https://authzed.com/docs/reference/caveats - https://authzed.com/blog/caveats - https://authzed.com/blog/top-three-caveat-use-cases If I understand correctly, you are describing a legacy system for which there is some impediment to replicate its data to SpiceDB. You need to at least store some minimal relationships in SpiceDB. For example, you could technically store a relationship used solely to authorize based on the result of the caveat/policy, for example you could model this as a caveated wildcard relationship (e.g.

user:*

).

caveat my_policy(authorize bool) {
  authorize
}

definition user {}

definition resource{
  relationship policy: user:* with my_policy
  permission authorize = policy
}

This is a very naive example, but hopefully illustrates the idea. With the above schema, and by storing just the schema and a single relationship

user:*

, you can let the caveat context arguments decide the outcome of the authorization request.

Thanks for responding and explaining it to me.This helps. The way I am thinking, let policy engine return the query condition and inside application at enforcement layer, apply the query condition to filter the record.

We have discussed the execution of SpiceDB Caveats in the client-side when an expression is unfulfilled (i.e. there are missing context values), it could be technically feasible, but that's not currently supported.

Legacy application uses DB2 and for them major concern is, maintaining data at one more location and maintaining its integrity. And it need significant amount of migration activity.