10/05/2021, 2:41 PM
The very short of it is that SpiceDB/Zanzibar is for deterministic decisions based on what relationships people/resources have. Policy Engines enable you to write arbitrary code that is not embedded within your application to make decisions. If you were using both, a policy engine would be more useful for doing something like "verifying the request" such that it has an allowed IP address, came from an approved client software, etc... and then you could query SpiceDB whether or not that user has the correct relationships to take an action.