Hey I'm trying to get my head wrapped around spicedb to figure out how to model stuff. Let's say I have a schema like this

definition user {}

definition group {
    relation member: user
    
    permission read = member
}

where members of a group are granted read permission on a group. In the database I'm modeling this with, `group`s have a flag called

is_public

, and when it is

True

it should allow any user to be able to read it. How would I go about modeling it? I'm guessing it has something to do with caveats since this is really an ABAC question but I'm a bit lost

You could use caveats but caveats can also make other features not work as well, like lookup resources. Would this work for you?

definition user {}

definition group {
    relation member: user
    relation reader: user | user:*
    
    permission read = member + reader
}

In this case you write a reader relation to user:* for public groups.

Hmm yeah that could work. It feels like it's not very extensible but I think I'm just going to have to find a better question to ask. Thank you!

How else do you need to extend it?

> not work as well less efficient; it still works but we have to do a followup check for now

I'm not entirely sure now, I'm going to have to think about it a bit more. I think I was thinking about doing roles earlier and my gut feeling was some kind of approach with ABAC, but I read the blog post on how to do roles with a ReBAC approach which made sense. I think I'm starting to grasp it better, it'll probably just take getting some more experience now

yeah, the general rule of thumb is: do it using relationships until you can't