Hey everybody! My name is Alex, and my team is currently evaluating SpiceDB/Authzed to use it in our product. We like it very much so far, however there are some questions we need to clarify, and I would appretiate very much someone can point me to the right direction. Here's a (a part of the) scheme we have developed:

definition org {
    relation admin: user
    relation member: user
    relation partner: partner

    permission view = admin + member + partner
}

definition user {
    relation self: user
    relation org: org

    permission view = self + org->admin + org->partner
}

definition partner {}

definition transaction {
    relation org: org
    relation user: user

    permission view = user + org->admin + org->partner
    permission edit = user + org->admin
}

We are trying to answer the question "who can view transactions". The idea that the transaction can be viewed by the user who made it, but the admin of the org to which this transaction belongs, and by the partner of the org. As long as we are talking about referencing transaction by id, everything is clear, for the set of relarionships

org:foo#partner@partner:bar
transaction:baz#org@org:foo

assertion

transaction:baz#view@partner:bar

evaluates to

true

. What is not clear is, how it should work for the use case when we get multiple transactions based on some filters and pagination. I've read about the Lookup API and found this article https://authzed.com/blog/acl-filtering-in-authzed/, but it's not clear how the workflow should actually look like. Let's extend the example above with one more org-to-partner relationship, and one more transaction for this org

org:qux#partner@partner:bar
transaction:quuz#org@org:qux

Now let's say that

partner:bar

requests to view all the transactions of

org:qux

. If I use the Lookup API to get the list of all transaction that this partner has access to, I wlil receive 2 transactions id,

transaction:baz

and

transaction:quuz

.