SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

How can I modify the following schema to ensure that all `users` with a specific role within *any* `organization` are granted `read` permissions for `product`? And what relations would I have to write to SpiceDB?

Here's the basic schema:

```plaintext
definition user {}

definition organization {
    relation some_role: user
}

definition product { ... }
```

I've considered two potential solutions:

1. Assign the `reader` relation to `product` directly from `organization#some_role`:

   ```plaintext
   definition product {
     relation reader: organization#some_role
   }
   ```

   I would then establish a relationship from each `product` to all `users` with the specified role.

2. Create an `org` relation within `product` and define the `read` permission based on the `some_role` relation in `organization`:

   ```plaintext
   definition product {
     relation org: organization
     permission read = org->some_role
   }
   ```

   Subsequently, I would link every `product` to every `organization`.

---

Are there alternative methods to accomplish this?