Hi folks, I have a question about caveats. We have a use case for attribute based access control. like, we want to give to users to some resources, only if those resources have a certain property. Example, if the resource is like a laptop, we need to restrict user to laptops that have a certain operating system. i.e. I would to say you have this permission to manage the laptop if the laptop OS is Windows. My first thought was to try use Caveats, but a better look seems to be more driven for dynamic based on user properties rather then resource properties. Is that correct and I would need an alternative approach or I'm missing something is Caveats is what I should be looking to use? Thanks!

Hey, so yeah your intuition is correct, caveats is better suited for scenarios where certain parameters are only known at request time. You can certainly do this with caveats, trivially, but always recommend to stick to modeling everything with relations, as it's what makes Zanzibar / SpiceDB scale.

so even if I can potentially have many resources and each have many properties (some of which might never be used for permissions) would still scale better if I model it with relations rather caveats ?

It's a good question, in your specific case I hesitate a bit. Typically yeah, it would perform better. But I wonder if for your specific case you may actually get better cache-hit ratios by using caveats, because you are caching intermediate subproblems that then need have the caveat resolved, and if you have few relationships but with many possible caveat values, you would be caching a "normalized" version of the subproblem that would be reused more often, versus having many relationships that are used rarely and have to be fetched from the DB. I'd say just test it with your workload! But the general recommendation is relationships all the way whenever possible. cc @Joey for thoughts here

stick with relationships unless you need caveats

got it, ok, thanks guys