SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hello 👋 , I’m evaluating SpiceDB as a solution for us and have been trying to implement one of our more complicated authorization paths to get a feel for the product. I’m having difficulty with one part of the schema development that I was hoping someone could help clear up.

For a little background, my company uses tokens for authentication and they have associated permissions with them (permissions are not necessarily tied to a specific user because it depends how the tokens are created, whether it’s a 3rd party token or not). I’ve tried to boil down the issue into a very generic and succinct schema below. Essentially the question is: How do I specify that the `resource`’s `view` permission is dependent on the `token`’s relation when there isn’t a link between them?

To put in a different way, the resource is only allowed to be viewed if the `token`’s `user` is the owner and the `token` has that extra permission.

```

definition user {}

definition extra_permission {}

definition token {
  relation user: user
  relation extra_perm: extra_permission
}

definition resource {
  relation owner: user
  permission view = owner + // how to put logic for <extra_permission> here?
}

```