I'm wondering how to correctly model this in SpiceDB: https://play.authzed.com/s/mNNMMnoI4gB_8/schema - Normal users and admins belong to an organization - Resources can be viewed/edited by the people who created them (owner_user) and the admins of the organization (owner_org->admin) - Users can be viewed/edited by the admins of the organization (owner_org->admin) I think the 3rd requirement can only be modelled if the user has a relation with organization? But the organization already has users as their "member". organization->member user->owner_org Modelling the same relation in both directions (user->org, org->user) seems like a bad idea. Is there a way to model this differently?

It's completely fine to write the reverse relationship when the business requirements demand it, but folks tend to be surprised by it. Something that could be done to perhaps improve the user experience here is to support inverse relationships out of the box: https://github.com/authzed/spicedb/issues/356

Thank you. Yes, I'm a bit worried about inconsistent states when for some reason only 1 of the 2 relations is created or deleted.

would they always be written at the same time?

yeah ideally those are written in the same

WriteRelationships

transaction. If for business logic constraints that cannot be the case, then yeah there is a scenario that could end up inconsistent