Hi all! From the docs, it seems that
# spicedb
Hi all! From the docs, it seems that
API can retrieve all users who can read a particular document. Is there a easy way for me to understand why each individual user can read the doc? The
Expected Relations
tab in the Playground can find the users and provide a good reason, e.g.
Copy code
  - "[user:ann] is <document:d1#owner>"
  - "[user:bob] is <usergroup:engineeer#direct_member>"
  - "[user:charlie] is <usergroup:engineeer#direct_member>"
However I don't see an API that does the same thing. Can somebody help?
I believe you wan to use the Expand API for this
Thanks for the help!
I tried the
zed permission expand
CLI function, and got something like this:
Copy code
└── union
    ├── markup:point1->edit_markup
    │   └── union
    │       ├── markup:point1->owner
    │       │   └── user:ann
    │       ├── markup:point1->editor
    │       └── markup:point1->edit_markup
    │           └── union
    │               └── folder:folder1->edit_folder
    │                   └── union
    │                       ├── folder:folder1->owner
    │                       │   └── user:bob
    │                       ├── folder:folder1->editor
    │                       └── folder:folder1->edit_folder
    │                           └── union
    │                               └── folder:folder2->edit_folder
    │                                   └── union
    │                                       ├── folder:folder2->owner
    │                                       ├── folder:folder2->editor
    │                                       │   └── usergroup:engineer->direct_member
    │                                       └── folder:folder2->edit_folder
    │                                           └── union
    ├── markup:point1->viewer
    │   └── user:eve
The documentation says the code will not go infinitely deep, and I may need multiple calls. By inspection I can see the
part of the code is not fully expanded. However, how do we know if the child node is fully expanded or not programmatically?
that is right, expand may not fully expand, which I know sounds odd 😅 @Joey is Expand the right tool here? @donderful here wants to know why a user had access to a resource.
expand is not recursive
expected relations uses a special recursive version of expand
which is not exposed because it is incredibly heavy
@donderful is this for debugging purposes or for actual code to use?
it's for actual code to use
for each document, we want the users to know whom it's shared with, and give a reason
and do you need the base relation or the entire path?
probably just the user group, like that in notion: https://www.notion.so/help/sharing-and-permissions
so we've had an idea of adding pathing information to LookupSubjects
which would indicate which relation(s) (as requested) the user was found in
by default off, but if requested, we could keep the info
so if that sounds interesting @donderful, you could file an issue with your ideas and we could investigate it