Hi Team, I am trying to design the schema of a bank loan approval authZ model with SpiceDB. An approver can have the following attributes: - location (bank branch of the approver, who is an employee of the bank) - designation (ex: associate, manager, loan_manager) - department (credit_card, home_loan etc) A loan can have the following attributes: - location (branch of the bank where loan was sanctioned from) - department (loan type) [example: credit_card, home_loan etc] AuthZ Caveats for loan approval are: 1. loan.location == approver.location 2. loan.department = approver.depatment 3. approver.designation = the designation required for loan approval I came up with the following schema:

definition user {}

// caveat for a loan to be approved by a bank employee
caveat check(user_location string, loan_location string, user_department string, loan_type string, user_designation string, allowed_designation string) {
    user_location == loan_location && user_department == loan_type && user_designation == allowed_designation
}

definition loan {
    relation operator: user with check // user can operate on a loan if checks are fulfilled

    permission operate = operator
}

definition location {
    relation work: user // employee has a base location
    relation pos: loan  // loan's place of sanction

}
    
definition designation {
    relation hold: user // users holds a designation
}

definition department {
    relation belong: user // employee belongs to a department
    relation handle: loan // loan is handled by a department 
}

Continue to next message...