Hi all! Do you have any resources with some examples of how to use SpiceDB in a somewhat "real" example? Preferably a Python application? 🙂 I'm trying to understand how to actually use SpiceDB to check permissions. Do I first ask SpiceDB if a given user with some attributes/roles have permission to read some resource? What then if I have to check many resources? I.e. for a

/all

endpoint that's supposed to fetch all rows in some table, but the given user should only be able to read some of those rows. Thank you in advance for pointing me in the right direction 🙂

👋 We have a docs site with an entry on how to get started with an example application, and you can switch between languages. Not sure if it qualifies as "real" - no sure that means in this context 😅 - but it's probably a good place to start! https://authzed.com/docs/spicedb/getting-started/protecting-a-blog The SpiceDB Playground is also a great resource for learning and experimenting: https://play.authzed.com It even comes with a bunch of examples to select from. When it comes to checking, yes you want to perform calls to SpiceDB

CheckPermission

, which answer the question "can subject do on resource ". SpiceDB will figure out if they have permission based on any of the grants you may have modeled. If you have many resources, you can either use

BulkCheckPermission

to check various resources, or use

LookupResources

, which answers the question "tell me all the resources of type that subject has permission on". https://cdn.discordapp.com/attachments/1212685087372738580/1212686969079996456/image.png?ex=65f2bdc0&is=65e048c0&hm=1a192b52b19d2b24c0073fd4c3568858dbd07ae794c1c2fe580b3d1f3c1ac240&

Thanks for getting back to me so quickly! Indeed, that is a practical example! I apologize for my unclear wording earlier. 🙂 I've reviewed that example and found it to be a helpful starting point. The only aspect I felt was lacking was a more "comprehensive" example. Nevertheless, I suppose the most instructive example will be the one I create through my experimentation. 🙂 Ah, I understand now. 🙂 If I may, I'd like to pose a brief follow-up question regarding your last point: If I already have a table filled with a significant amount of data and I decide to implement SpiceDB, what steps should I take? I'm assuming I would need to iterate over all the rows, assigning permissions to each row in that table. Afterward, I could proceed as you suggested: issue a query like "tell me all the resources of type that subject has permission to read", receive a list of IDs, and then perform a database query for those records, correct?

@Covey I use SpiceDB for a safety application; and for things like a 'list all jobs' endpoint i do a LookupResources 'job' for user:x; and then pipe that directly into my SQL queries ('where id IN ....').

Nice 🙂 Thanks for chiming in! I'll create a small POC and start exploring I think 🙂

Exactly, of course you have to be mindful that depending on the size of that list, both

LookupResources

and the JOIN in your database are going to eventually get slower with the size of that list, but for starters it would work. And yes, your thinking is right, when you onboard you application to SpiceDB you want to do a "backfill" where you evaluate your main DB's data and write SpiceDB relationships. There are many approaches for this, some folks treat SpiceDB as a denormalized form of the data in the DB, and use either application dual writes, or strategies like transaction log tailing. Other folks treat SpiceDB as source of thruth and only store there certain information - it depends on your application. Or a mixture of both approaches!

Right 🙂 Thank you!