https://authzed.com logo
#spicedb
Title
# spicedb
d

devoxel

03/14/2022, 8:00 PM
I came up with something, but it's not very good: https://play.authzed.com/s/wmxWSUBCX3pu/schema
Copy code
// Compute group space collisions
//   This means - any groups that have colliding spaces. EG
//     groupA{ all=RW, r1=nil } + groupB{ all=RW, r2=nil } + groupC{ all=R, r2 = nil, r3 =n nil } 
//   Each of these groups provides a default, which means it operates on every resource.
//   Any other group definition that explicitly removes a group will collide with that space.
//   So, for each of these groups, compute all possible membership tuples
//   (A, B) + (A, C) + (B, C)
// 
// This means n!/(2*(n-2)!) * n extra rules

uninherit_group:uninherit_r1#except@group:A_B#member
uninherit_group:uninherit_r1#except@group:A_C#member
uninherit_group:uninherit_r1#except@group:B_C#member

uninherit_group:uninherit_r2#except@group:A_B#member
uninherit_group:uninherit_r2#except@group:A_C#member
uninherit_group:uninherit_r2#except@group:B_C#member

uninherit_group:uninherit_r3#except@group:A_B#member
uninherit_group:uninherit_r3#except@group:A_C#member
uninherit_group:uninherit_r3#except@group:B_C#member
this certainly feels like a bad solution