@User if you wanted to do this solely via SpiceDB, you could do so by having the subject you're checking be granted relationships on specific sub-relations. as an example:

definition user {
    relation viewer_only: user
    permission all = viewer_only
}

definition document {
    relation writer: user#all
    relation reader: user#all | user#viewer_only

    permission edit = writer
    permission view = reader + edit
}

in this example, you grant a role on

document

to either

user#all

or to

user#viewer_only

. Then, at check time, you can check for

user:whomever#all

as the subject or

user:whomever#viewer_only

, and it'll "scope down" based on that. Since

#all

also includes the lower "scopes", it'll handle that case too Playground link here: https://play.authzed.com/s/NvrMRnPDnnT4/