Hello,
A quick query on how to enforce access to the authorization model and its relationship check.
Assuming I have a centralized Authorization Engine using SpiceDB.
The said system can host multiple schema definitions which can be prefixed with "Globally unique Slug"
for e.g
definition organization_a/document {
relation writer: authzsystem/user
relation reader: authzsystem/user
permission edit = writer
permission view = reader + edit
}
definition organization_a/user { }
organization_a/document:firstdoc#reader@organization_a/user:fred
definition organization_b/document {
relation writer: authzsystem/user
permission edit = writer
}
definition organization_b/user { }
organization_b/document:firstdoc#writer@organization_b/user:fred
How to support the requirement where a given Organization (with its namespace/key organization_a/b) can only access their respective namespace data and its relationship checks via SpiceDB HTTP API ?
Does API provide a way to connect to single instance of SpiceDB with a key that is specific to each namespace?
This is basically to ensure provisioned data in SpiceDB is isolated and protected
Do I need to spawn multiple instances of SpiceDB with a preshared key specific to each organization?