The zanzibar literature makes a big point about reverse indexing, but as far as I can tell the paper doesn't actually describe an API that leverages that. Expand is the same direction as "check" (object to user). What was Zanzibar's "reverse" API? Did they have a "reverse expand"?

It's not in the paper but yes, there is a reverse expand. Lea Kissner wrote about it here: https://docs.google.com/document/d/1KbJ8Gc65mTkSQXFqBalbiCbGuQClTQDRmKCg1BExAN4/edit > Reverse-index expand. “What can [identity] do?” receives a list of (verb, object) pairs that identity is allowed to do, such as “can WATCH video/1234”.

Wow thank you. I have read so many Zanzibar materials, including stuff from Lea, and yet never run into this doc. Thanks so much for sharing!

haha yes it's a pretty obscure, but still public, document

@ecordell we should add an annotation to zanzibar.tech pointing to this

Hello, to explain this, I use a very short code that I wrote in Prolog.https://www.linkedin.com/pulse/google-zanzibar-access-management-language-like-go-prolog-divol-7k4dc/?trackingId=5Gt79fNmQaKWc7UjCm648Q%3D%3D