https://authzed.com logo
Join Discord
Powered by
Is there anyway to know a relation is
# spicedb
r
Is there anyway to know a relation is 
direct
assigned or 
inherited
from parent in 
Lookup
or 
Expand
apis? This is super useful and necessary to prevent deletion of 
inherited
relationships (which doesn't have an exact record in database) with not adding 
delete
button to them in 
UI
.
v
I'm not sure to understsand what "direct / inherited" in the context of a relation means. Could you perhaps elaborate with an example?
r
Assume the schema below, When we use 
Lookup
or 
Expand
apis, the relation assigned as 
admin
to 
org
will be an admin in 
project
too, which is 
inherited
relationship from 
parent (org)
. - The relation assigned to user on 
org
object as 
admin
is a 
direct
assignment. (Could be deleted permanently) - The 
admin
relation above shown in project 
Lookup
result for 
project
is an 
inherited
assignment. (Could not be deleted permanently, deletion is only possible by deleting its 
parent
which is 
org
direct assignment)
Copy code
java
definition org {
    relation admin: user
    relation viewer: user

    permission all = admins + viewer
    permission admins = admin
    permission viewers = viewer

    permission read = all
    permission create = admins
    permission update = admins
    permission delete = admins
}

definition project {
    relation parent: org

    relation admin: user
    relation viewer: user

    permission all = admins +  viewers
    permission admins = admin + parent->admins
    permission viewers = viewer + parent->viewers

    permission read = all
    permission create = admins
    permission update = admins
    permission delete = admins
}
v
Thanks for clarifying. SpiceDB does not offer this information as part of the response, and how a subject is granted a permission is entirely application specific and driven by the schema and the relationships present in the system. 
Expand
does give you information of how a permission was granted but please do note, and this is important, that 
Expand
does not recursively expand the relation graph, unlike 
LookupResources
. From the 
Expand
response your application can instrospect the path, so you'd see that a permission was granted either via 
project#admin
or 
project#parent->admin
. I understand you are trying to somehow generalize some logic based on these traits so you don't have to add bespoke code to handle deletions for each possible resource in your application. I infer you are building some sort of permission management UI so that you can, say, render or not the "delete grant" button in the UI. The way this is typically done in UIs is not by rendering the button based on 
project#admins
permission, but instead by doing 
ReadRelationships
over 
project#admin
. So the UI would show "roles" that come with "permissions" associated.
r
Thanks a lot, yes, I'm trying to build a permission system, I will check it to see how to do it with 
ReadRelationships
.
PreviousNext
Powered by