williamdclt05/06/2022, 8:42 AM
endpoint. I'd expect it to return all subjects who have the given permission on the given resource, but that doesn't seem to be the case: it returns a tree of set operations where the leaves are the subjects. That means that if I want to know which subject actually has the permission, I'd need to apply the operations myself? For example:
There's an exclusion operation with
$ zed permission expand caregivers_csv_upload agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->caregivers_csv_upload └── exclusion ├── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->account_manager │ ├── user:f71c18fc-fd2f-4a96-ab65-020cb00670c5 │ ├── user:f9ed57f2-c881-4c3c-9fd5-f67043de3118 │ ├── user:fdf84719-e48f-4637-b5c4-2efa32948602 └── agency:63ed361f-a0b7-41fc-9c4b-143e0fe792ad->flag_rostering_integration └── user:*
so I'd expect SpiceDB to tell me that 0 subjects have this permission. But nothing in the ExpandPermissionTree response seems to contain this information. Am I missing something?