Consider this use case. Let's say we want to use spicedb to authorize access to network ports on a host. One way would be add each network port exposed on a host as a resource along the lines of ":" into spicedb and program relations to allow only certain users access to the network ports. However, say there are some 'super users' that should be allowed access to any of the network ports on the host. Is there a way to express this without enumerating each potential network port (in thousands) on each host as a resource in spicedb? We could possibly express a relation between the super user and the host, but that would require two check requests, one against host:port and one against host.
Another idea would be express the port as a permission and have host as the resource. This would require us to modify the schema to express each network port as a permission and schema would need to be updated as we enable more ports. But to support the super user use case we would need to add every single network port as a permission in the schema. Would it be useful to support a 'default' permission in a relation, which is used when the permission in the check request does not match anything defined in the schema? The default permission could check to see if the user has an 'any' relation to the host.
Any other ideas?