https://authzed.com logo
Join Discord
Powered by
Caveats | SpiceDB and AuthZed Documentat...
# spicedb
u
OK here's the tricky bit of information I'm looking for. If you lock a document in our system (let's say we change status from 'available' to 'locked'), I would need to push that status into SpiceDB and then use the document field into a static resolver somewhere? https://authzed.com/docs/reference/caveats Am I on the right track?
v
Unless 
lock
status is of dynamic nature (e.g. in that it's not persisted in your applications database and it's determined at request time), I wouldn't model this with caveats. You can certainly do it, it' just not the right tool for the job. I'm missing a bit of context of what you are trying to achieve, but assuming you want to unauthorize access to a locked resource, you can always do something like this
Copy code
definition document {
  relation viewer: user
  relation locked: user:*
  
  permission view = viewer - locked
}
What you achieve here is that by using the wildcard you can deny access to everybody by writing the to 
locked
.
u
lock status would be persisted in our MySQL DB yes. "you want to unauthorize access to a locked resource" Yes but not only do we want to do that, we want granular permission. We used to have only 'view' and 'edit' actions and we want to go granular now. edit:name, edit:status, and so on. So instead of reinventing the wheel or scaling our current source code adding more complexity and missing key features like scalability/caching, we're looking into switching to the best open source framework to deliver that part of our tech stack.
We looked into: Casbin, Ory Keto, OpenFGA, Permify, Permit.io and spiceDB. We're still exploring but I'm pretty set on building a tiny MVP using SpiceDB and see how it goes from there. I'm just trying to make sure there's no long term limitation. I have product people asking me that kind of stuff:
Copy code
For:
- RootDocument
- If status is [SOME CUSTOM VALUE]
- For users with Workspace Role [SOME CUSTOM VALUE]
- If Collaborator Role [SOME CUSTOM VALUE]
- Allow 'comments'

For:
- Document
- If status is [SOME CUSTOM VALUE]
- For users with Workspace Role [SOME CUSTOM VALUE]
- If Collaborator Role is [SOME CUSTOM VALUE]
- Allow [‘complete_steps’, ’enter_data’, ‘create_comments’]
- If action allowed on document.rootDocument
And I'm like hold on satan. Don't worry, we'll design a system that can scale but let's solve the baby steps first.
Copy code
definition document {
  relation viewer: user
  relation locked: user:*
  
  permission view = viewer - locked
}
If I understand well, I would need to create a locked relation between 'document:1234' and 'user:*' in the DB when I'm locking a document? And that would work without caveat actually.
j
correct
v
@_thommas yeah you want to model everything as part of the graph (i.e. as relations) whenever possible. If you add caveats, you'll be caching permutations of the result of a subproblem, rather than just the subproblem. SpiceDB takes your schema and decomposes in smaller cacheable subproblems so they can be reused for subsequent requests, for the duration of a specific max staleness window.
as for fine grained access, SpiceDB is really good at it. You can get a feel as you experiment with it.
PreviousNext
Powered by