SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

another option would be to have a distinct `documentstate` definition:

```
definition user {}

definition documentstate {
  relation viewer: user
  permission view = viewer
}

definition document {
  relation state: documentstate
  permission view = state->view
}
```

in this design, you have three resources for each document, representing the three states, with associated users. When you want to change the state of the document, you simply change the relationship between a `document` and its `state`, and it gets the associated users that can view in that state