yetitwo
08/10/2022, 7:11 PMdefinition site {
relation accesses: user | persona
one of the constraints of personas is that a persona shouldn't grant access to an object that a user wouldn't otherwise have. the way we're currently approaching this is in calling logic, asking for readPermissions
on both the persona and user and then returning the intersection of the results.
I remembered that there's a way to express permissions as the intersection of two relations: https://docs.authzed.com/reference/schema-lang#-intersection. is there a way to use this to push this kind of logic down into spicedb somehow? otherwise my sense is that the way that spicedb works doesn't quite support this sort of constraint concept (which is fine).