SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi, I'm new to spiceDB and I'm trying to build an RBAC system similar to what GCP has with custom roles, and role bindings.

I'm going through the Modeling Google Cloud IAM in SpiceDB blog post (https://authzed.com/blog/google-cloud-iam-modeling) and I'm wondering why prefixing all synthetic permissions with "granted_" ?

this is probably a question for <@802245842077483029> who wrote the article, but I think it's superfluous

I usually name synthetic relations by just converting the arrow `->` to an underscore `_`, so `granted->spanner_databases_beginorrollbackreadwritetransaction` becomes `granted_spanner_databases_beginorrollbackreadwritetransaction`

it usually reads really well, e.g. `parent->has_admin` becomes `parent_has_admin`

got it.
If I have a multitenant system where the tenant is an "organization", should I also add an organization relation to the role object type?

I want to allow users to create custom roles

I don't think there are any general conventions around naming, up to you!