Hi, I have a question about schema. We have Departments and their Teams. Department is the parent of Teams. Do you have any idea how to describe that Team viewer has view permission to the parent Department? Link to test schema https://play.authzed.com/s/KVNk09z5Uv1d/schema There are two invalid assertions, which we need to have valid.

We have a similar situation so just to add my two cents. We tried adding a "child" relation also to the Department object, and in the "view" permission we could add + child->view. This approach seems to be working well in "positive" assertions, but for "negative" ones, it falls into recursion, thus making it unusable and apparently incorrect. With that said, we are now two interested in how to approach this use-case

Hi, Yes, the "child" relation is one of the solutions. But we want to avoid it. We would have to keep a "child" relation in sync every time if we moved some teams between departments. We are already doing this with the "parent" relation and therefore did not want to add another similar relation. Currently, we are thinking of solving this by asking the spiceDB if at least one child has permission "view" then it means that it has parent permission. We will get the child by querying our database. We wouldn't change the spiceDB schema.

This is exactly our though also. The disadvantage though that we see, is that the permissions for the Department object would be split across two different systems, i.e. SpiceDB and the database and/or the code querying the database, which kind of beats the purpose.

Yes, but it is possible to wrap this "double" logic into one method. So from the API user's point of view, it won't matter. But we would prefer a "cleaner" solution. That's why I tried to ask this question. Maybe there's a way to use the existing relationship to the parent.

Let's see if others have faced this issue and see their approach too 🙂

Hi, I just found this thread. I have a similar problem. I have a folder tree structure and permissions are normally inherited from parent to child. However, in some cases we also want to have an inheritance in the opposite direction. If the user has a permission to a child folder (but not to the parent folder), the user should have a view permission to the parent, too, so that the tree view does not have gaps. We currently use two relationships for that (parent and child), but it is basically duplicate information. But it does not seem to be possible to "inverse the arrow", which is basically what we would need, i.e. "permission view = parent<-view", to follow the relationship in the opposite direction. Did you find a solution for your use case?