Hi I am testing this model:

definition user {}

definition role {
    relation assignee: user
    permission edit = assignee
}

definition module {
    relation editor: role
    permission edit = editor->edit
}

with a use case of multiple roles assigned to specific module:"payments" each role represent different tenant user-1 -> role-1 -> module:payments user-x -> role-x -> module:payments Testing this model found that as the number of roles grows the query getting really slow for example data set with 2000 roles

~ zed permission check module:payments edit user:user-999 --explain
8:17AM INF debugging requested on check
true
✓ module:payments edit (250.510208ms)
├── ⨉ role:role-0,role-1,role-10,role-100,role-1000,role-1001,role-1002,role-1003,role-1004,role-1005,role-1006,role-1007,role-1008,role-1009,role-101,role-1010,role-1011,role-1012,role-1013,role-1014,role-1015,role-

...

962,role-963,role-964,role-965,role-966,role-967,role-968,role-969,role-97,role-970,role-971,role-972,role-973,role-974,role-975,role-976,role-977,role-978,role-979,role-98,role-980,role-981,role-982,role-983,role-984,role-985,role-986,role-987,role-988,role-989,role-99,role-990,role-991,role-992,role-993,role-994,role-995,role-996,role-997,role-998,role-999 assignee (229.226876ms)
    └── user:user-999

Is there a better modeling I can do to resolve this issue ? Or maybe this is not the right solution for the described model ? Thanks!

That seems overly slow to me for 2K Elements, what does it look like with just 1 role? Unfortunately we don't have a better solution right now for "wide relations". When a dispatch invoves an indirect subject, SpiceDB does this. The role is however not quite well defined, as you can't really discern permissions unless you have relations for each permission. A way to do this is using the wildcard relation to act as a "feature flag" Relation has_edit : user:* Permission edit: has_edit & assignee To you perf issue, how are you testing this, what's the setup? The only way to avoid that dispatch is finding a design that turns a non-terminal relation into a terminal relation. What happens if you do "edit = editor->assignee" instead?

Thanks for replay I am testing it on my laptop, running mysql + spicedb docker. I've tested your recommendation and there isn't any difference. Using test tool I've got p99 of ~50ms Which I think it is ok for other use cases. But for RBAC model with a lot of roles it is not the right tool to build classic REST API authZ with latency of p99 ~5ms

alright 👍

you expect a module to have hundreds or thousands of roles?

I am providing option to create custom role in multi tenant app, this can lead to thousands of roles

it should be noted MySQL is not optimized compared to the other datastore implementations