Hey I'm trying to get my head wrapped
# spicedb
p
Hey I'm trying to get my head wrapped around spicedb to figure out how to model stuff. Let's say I have a schema like this
Copy code
definition user {}

definition group {
    relation member: user
    
    permission read = member
}
where members of a group are granted read permission on a group. In the database I'm modeling this with, `group`s have a flag called
is_public
, and when it is
True
it should allow any user to be able to read it. How would I go about modeling it? I'm guessing it has something to do with caveats since this is really an ABAC question but I'm a bit lost
a
You could use caveats but caveats can also make other features not work as well, like lookup resources. Would this work for you?
Copy code
definition user {}

definition group {
    relation member: user
    relation reader: user | user:*
    
    permission read = member + reader
}
In this case you write a reader relation to user:* for public groups.
p
Hmm yeah that could work. It feels like it's not very extensible but I think I'm just going to have to find a better question to ask. Thank you!
a
How else do you need to extend it?
j
> not work as well less efficient; it still works but we have to do a followup check for now
but yes, a wildcard is the correct solution here
p
I'm not entirely sure now, I'm going to have to think about it a bit more. I think I was thinking about doing roles earlier and my gut feeling was some kind of approach with ABAC, but I read the blog post on how to do roles with a ReBAC approach which made sense. I think I'm starting to grasp it better, it'll probably just take getting some more experience now
j
yeah, the general rule of thumb is: do it using relationships until you can't
then caveats fills in the rest
relationship-based control will always be more efficient
partially because it caches better