Hi all! From the docs, it seems that SpiceDB #spicedb

Hi all! From the docs, it seems that

donderful

11/13/2023, 12:07 PM

Hi all! From the docs, it seems that

LookupSubjects

API can retrieve all users who can read a particular document. Is there a easy way for me to understand why each individual user can read the doc? The

Expected Relations

tab in the Playground can find the users and provide a good reason, e.g.

Copy code

document:d1#edit_document:
  - "[user:ann] is <document:d1#owner>"
  - "[user:bob] is <usergroup:engineeer#direct_member>"
  - "[user:charlie] is <usergroup:engineeer#direct_member>"

However I don't see an API that does the same thing. Can somebody help?

vroldanbet

11/13/2023, 12:37 PM

I believe you wan to use the Expand API for this

donderful

11/13/2023, 1:31 PM

Thanks for the help!

donderful

11/13/2023, 5:17 PM

I tried the

zed permission expand

CLI function, and got something like this:

Copy code

markup:point1->view_markup
└── union
    ├── markup:point1->edit_markup
    │   └── union
    │       ├── markup:point1->owner
    │       │   └── user:ann
    │       ├── markup:point1->editor
    │       └── markup:point1->edit_markup
    │           └── union
    │               └── folder:folder1->edit_folder
    │                   └── union
    │                       ├── folder:folder1->owner
    │                       │   └── user:bob
    │                       ├── folder:folder1->editor
    │                       └── folder:folder1->edit_folder
    │                           └── union
    │                               └── folder:folder2->edit_folder
    │                                   └── union
    │                                       ├── folder:folder2->owner
    │                                       ├── folder:folder2->editor
    │                                       │   └── usergroup:engineer->direct_member
    │                                       └── folder:folder2->edit_folder
    │                                           └── union
    ├── markup:point1->viewer
    │   └── user:eve

The documentation says the code will not go infinitely deep, and I may need multiple calls. By inspection I can see the

usergroup:engineer->direct_member

part of the code is not fully expanded. However, how do we know if the child node is fully expanded or not programmatically?

vroldanbet

11/13/2023, 5:19 PM

that is right, expand may not fully expand, which I know sounds odd 😅 @Joey is Expand the right tool here? @donderful here wants to know why a user had access to a resource.

Joey

11/13/2023, 5:20 PM

expand is not recursive

Joey

11/13/2023, 5:21 PM

expected relations uses a special recursive version of expand

Joey

11/13/2023, 5:21 PM

which is not exposed because it is incredibly heavy

Joey

11/13/2023, 5:23 PM

@donderful is this for debugging purposes or for actual code to use?

donderful

11/13/2023, 5:24 PM

it's for actual code to use

donderful

11/13/2023, 5:25 PM

for each document, we want the users to know whom it's shared with, and give a reason

Joey

11/13/2023, 5:25 PM

and do you need the base relation or the entire path?

donderful

11/13/2023, 5:26 PM

probably just the user group, like that in notion: https://www.notion.so/help/sharing-and-permissions

Joey

11/13/2023, 5:28 PM

so we've had an idea of adding pathing information to LookupSubjects

Joey

11/13/2023, 5:29 PM

which would indicate which relation(s) (as requested) the user was found in

Joey

11/13/2023, 5:29 PM

by default off, but if requested, we could keep the info

Joey

11/13/2023, 5:32 PM

so if that sounds interesting @donderful, you could file an issue with your ideas and we could investigate it

Previous Next