Can someone tell me what I'm doing wrong here? https://play.authzed.com/s/B_kdTvoeYO5-/assertions api_key:key1#view@user:admin1 and api_key:key1#edit@user:admin1 fail to validate. I expected it to go key1 -> owner_org: bot1#owner_org = org1 -> org1#admin = admin1.

definition api_key {
    relation owner_org: bot#owner_org
    permission edit = owner_org->admin
    permission view = edit
}

$ zed permission check --explain api_key:key1 owner_org organization:org1
true
✓ api_key:key1 owner_org (0s)
└── ✓ bot:bot1 owner_org (0s)
    └── organization:org1 
$ zed permission check --explain organization:org1 admin user:admin1
true
✓ organization:org1 admin (0s)
└── user:admin1 
$ zed permission check --explain api_key:key1 owner_org organization:org1
true
✓ api_key:key1 owner_org (0s)
└── ✓ bot:bot1 owner_org (0s)
    └── organization:org1 
$ zed permission check --explain api_key:key1 edit user:admin1
false
⨉ api_key:key1 edit (0s)

that check does not resolve to

user

, it resolves to

organization

type, because the relation is

bot#owner_org

Ok, I guess if you know that using a relation which has a # in a permission with a -> is not possible there are different ways to model around it. But I would have expected it to work. I'll try to remember it. 🙂 But I think this should be mentioned here: https://authzed.com/docs/spicedb/concepts/schema#--arrow

yep I understand the friction, been myself there, it still does not feel right