03/22/2022, 9:46 AM
Hello, A quick query on how to enforce access to the authorization model and its relationship check. Assuming I have a centralized Authorization Engine using SpiceDB. The said system can host multiple schema definitions which can be prefixed with "Globally unique Slug" for e.g definition organization_a/document { relation writer: authzsystem/user relation reader: authzsystem/user permission edit = writer permission view = reader + edit } definition organization_a/user { } organization_a/document:firstdoc#reader@organization_a/user:fred definition organization_b/document { relation writer: authzsystem/user permission edit = writer } definition organization_b/user { } organization_b/document:firstdoc#writer@organization_b/user:fred How to support the requirement where a given Organization (with its namespace/key organization_a/b) can only access their respective namespace data and its relationship checks via SpiceDB HTTP API ? Does API provide a way to connect to single instance of SpiceDB with a key that is specific to each namespace? This is basically to ensure provisioned data in SpiceDB is isolated and protected Do I need to spawn multiple instances of SpiceDB with a preshared key specific to each organization?