Weird policy question. Is it possible to use SpiceDB to express a policy where a user needs to have all of a particular set of relations in common with a resource to gain a permission. The specific scenario I'm thinking about is this. 1) Documents can have a number of tags assigned to them expressing information protection regimes like

GDPR

and

HIPPA

so you might end up with a resource that looks something like

document.tags = ["GDPR", "HIPPA"]

2) Likewise, users can be members of these tags (typically after receiving the appropriate training). So a user might look something like

user.tag_memberships = ["GDPR", "CCPA"]

. What I want to express: A

user

has

read

permissions on a

document

if they are a member of all of a document's tags. For example. If I have

document.tags = ["GDPR", "HIPPA"]

and

alice.tag_membership = ["GDPR", "CCPA"]

then Alice should not have

read

permission on

document

. But if I have

bob.tag_membership = ["GDPR", "HIPPA"]

then Bob should have

read

permission on

document

. I can get the easier case of users must have membership it at least one document tag expressed easily in spice (https://play.authzed.com/s/wRJQSATx7Bj0/assertions):

definition user {}

definition document {
    relation tag_viewer: tag
    relation viewer: user

    permission view = viewer & tag_viewer->member
}

definition tag {
    relation direct_member: user

    permission member = direct_member
}

But can't figure out how to require 100% overlap between the relationships.