The easy way to solve this is to actually define a relation between the group and all the docs. Even if you only ever have one vip_group, you can just assign all docs to that one vip group with a parent_group relation, and then inherit permissions from there. SpiceDB models relations as a graph, so if you don’t define the relation there is no “path” to walk during the permission checks