https://authzed.com logo
#spicedb
Title
# spicedb
a

alexkorotkikh

03/03/2022, 7:03 PM
Hey everybody! My name is Alex, and my team is currently evaluating SpiceDB/Authzed to use it in our product. We like it very much so far, however there are some questions we need to clarify, and I would appretiate very much someone can point me to the right direction. Here's a (a part of the) scheme we have developed:
Copy code
definition org {
    relation admin: user
    relation member: user
    relation partner: partner

    permission view = admin + member + partner
}

definition user {
    relation self: user
    relation org: org

    permission view = self + org->admin + org->partner
}

definition partner {}

definition transaction {
    relation org: org
    relation user: user

    permission view = user + org->admin + org->partner
    permission edit = user + org->admin
}
We are trying to answer the question "who can view transactions". The idea that the transaction can be viewed by the user who made it, but the admin of the org to which this transaction belongs, and by the partner of the org. As long as we are talking about referencing transaction by id, everything is clear, for the set of relarionships
Copy code
org:foo#partner@partner:bar
transaction:baz#org@org:foo
assertion
transaction:baz#view@partner:bar
evaluates to
true
. What is not clear is, how it should work for the use case when we get multiple transactions based on some filters and pagination. I've read about the Lookup API and found this article https://authzed.com/blog/acl-filtering-in-authzed/, but it's not clear how the workflow should actually look like. Let's extend the example above with one more org-to-partner relationship, and one more transaction for this org
Copy code
org:qux#partner@partner:bar
transaction:quuz#org@org:qux
Now let's say that
partner:bar
requests to view all the transactions of
org:qux
. If I use the Lookup API to get the list of all transaction that this partner has access to, I wlil receive 2 transactions id,
transaction:baz
and
transaction:quuz
.