https://authzed.com logo
#spicedb
Title
# spicedb
d

devoxel

03/11/2022, 3:39 PM
Follow up question: How might this work when you want to have users be members of multiple groups, I've got an example here: https://play.authzed.com/s/AQghMTPYJ7J2/schema
Copy code
// A inherits RW (except r1, no permissions)
resource:global#reader@group:A#member
resource:global#writer@group:A#member
resource:r1#uninherit@group:A#member

// B inherits RW (except r2, no permissions)
resource:global#reader@group:B#member
resource:global#writer@group:B#member
resource:r2#uninherit@group:B#member

group:A#member@user:matt
group:B#member@user:matt
here matt would no longer see any resources (which makes sense, it's how the schema is defined) but it's probably clear to most people the expected behaviour would be that they could see ALL resources - that is - we only want to uninherit permissions if it doesn't conflict with another group definition