Covey
02/29/2024, 8:57 AM/all
endpoint that's supposed to fetch all rows in some table, but the given user should only be able to read some of those rows.
Thank you in advance for pointing me in the right direction 🙂vroldanbet
02/29/2024, 9:05 AMCheckPermission
, which answer the question "can subject do on resource ". SpiceDB will figure out if they have permission based on any of the grants you may have modeled.
If you have many resources, you can either use BulkCheckPermission
to check various resources, or use LookupResources
, which answers the question "tell me all the resources of type that subject has permission on".
https://cdn.discordapp.com/attachments/1212685087372738580/1212686969079996456/image.png?ex=65f2bdc0&is=65e048c0&hm=1a192b52b19d2b24c0073fd4c3568858dbd07ae794c1c2fe580b3d1f3c1ac240&Covey
02/29/2024, 9:14 AMbrentpi_35990
02/29/2024, 9:15 AMCovey
02/29/2024, 9:19 AMvroldanbet
02/29/2024, 10:18 AMLookupResources
and the JOIN in your database are going to eventually get slower with the size of that list, but for starters it would work.
And yes, your thinking is right, when you onboard you application to SpiceDB you want to do a "backfill" where you evaluate your main DB's data and write SpiceDB relationships. There are many approaches for this, some folks treat SpiceDB as a denormalized form of the data in the DB, and use either application dual writes, or strategies like transaction log tailing. Other folks treat SpiceDB as source of thruth and only store there certain information - it depends on your application. Or a mixture of both approaches!Covey
02/29/2024, 12:13 PM