williamdclt
05/06/2022, 8:42 AMExpandPermissionTree
endpoint. I'd expect it to return all subjects who have the given permission on the given resource, but that doesn't seem to be the case: it returns a tree of set operations where the leaves are the subjects. That means that if I want to know which subject actually has the permission, I'd need to apply the operations myself?
For example:
$ zed permission expand caregivers_csv_upload agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad
agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->caregivers_csv_upload
└── exclusion
├── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->account_manager
│ ├── user:f71c18fc-fd2f-4a96-ab65-020cb00670c5
│ ├── user:f9ed57f2-c881-4c3c-9fd5-f67043de3118
│ ├── user:fdf84719-e48f-4637-b5c4-2efa32948602
└── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->flag_rostering_integration
└── user:*
There's an exclusion operation with user:*
so I'd expect SpiceDB to tell me that 0 subjects have this permission. But nothing in the ExpandPermissionTree response seems to contain this information. Am I missing something?