SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi!

Given the following schema:

`definition user {}

definition organization {
    relation user: user
    relation enable_zone: zone

    permission membership = user
}

definition project {
    relation user: user
    relation org: organization
    relation disable_zone: zone

    permission membership = organization->membership + user
    permission enable_zone = org->enable_zone - disable_zone
}

definition zone {
    relation public: organization:*
    relation private: organization
    relation deny: organization

    permission zone_visible = public + private - deny
}`

We need to grant the permission  `enable_zone` at organization level only if in the zone the org has `zone_visible` permission and at the same time in the organization the zone has a relation in  `enable_zone`

Use case: Suppose that we have `organization:org-a `and the relation `enable_zone` with  `zone: zone-a` and at same time we deny the `organization: org-a` at `zone:zone-a`. With the current schema, having the zone in the `enable_zone` relation means it does not matter if the organization is denied in the `zone`, and we do not know how to fix this. 

We are aware that removing the `enable_zone` relation at organization level it would work, but we want to know if there is another possibility.