Hello, Im testing SpiceDb for some use cases and found some blog posts about Google Cloud IAM, and User Defined Roles. https://authzed.com/blog/google-cloud-iam-modeling https://authzed.com/blog/user-defined-roles I have modeled a sample use case that I'm looking for is how to use caveated relationships with Google IAM Model, i saw that is mentioned on blog that can be done but i can't figure it how. 
 Example I have 
 
 Admins that can view all projects, submit, approve all budgets.
 Directors that can view projects that are assigned in, submit budgets (that under a defined value example 1000$ and they have a certain ip address).
 Managers that can view projects that are assigned in, 
 submit budgets (if they have a certain ip address). 
 approve (budgets that under a defined value example 2000$ and they have a certain ip address), 



 In my case caveats(conditions) differ by roles. //below is a sample of a schema i made.

definition user {}

definition role {
    relation project_view: user:*
    relation budget_view: user:*
    relation budget_edit: user:*
    relation budget_approve: user:*
    relation budget_submit: user:*
}

definition role_binding {
    relation user: user
    relation role: role

    permission project_view = user & role->project_view
    permission budget_view = user & role->budget_view
    permission budget_edit = user & role->budget_edit
    permission budget_approve = user & role->budget_approve
    permission budget_submit = user & role->budget_submit
}

definition project {
    relation granted: role_binding

    // Synthetic Instance Relations
    permission granted_view = granted->project_view
}

definition budget {
    relation project: project
    relation granted: role_binding

    permission view = granted->budget_view + project->granted_view
    permission edit = granted->budget_edit + view
    permission approve = granted->budget_approve + view
    permission submit = granted->budget_submit + view
}

Hi, the way I'd do it is to create a new relation in

role

that defines the budgetary restrictions of the

role

and use it to gate permissions. Something along these lines:

caveat budget_restriction(max_budget int, proposed_budget int) {
  proposed_budget <= budget_max_budget
}

definition role {
    relation project_view: user:*
    relation budget_view: user:*
    relation budget_edit: user:*
    relation budget_approve: user:*
    relation budget_submit: user:*

    relation budget_restricted: user:* with budget_restriction
    relation ip_allowlist_restricted: user:* with ip_allowlist

    permission submit_budget = budget_submit & budget_restricted
    permission approve_budget = budget_approve & budget_restricted & ip_allowlist_restricted
}

Then in

role_binding

you reference the new permissions instead of the relations.

Thank you, will try this solution