SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

with regards to managing permissions through "teams", e.g "this role within this team, should have access to all orders related to the team", would it be correct to model the team as a resource, with each role being a relation, and then have the resource have a relation to the team, with a "global" permission on the team. E.g something like this

```
definition user {}

definition team {
    relation account_manager: user
    relation sales_director: user
    relation member: user

    permission view_associated_orders = sales_director + account_manager
}

definition order {
    relation team: team

    permission view = unit->view_associated_orders
}
```