I have a resource that can be restricted or unrestricted. If it is restricted, it should have part of it's permissions restricted to a whitelist. Admins can always see all resources in their team. What's the best way to model this. I have a few solutions, but none are ideal. Common schema:

definition user {}

definition team {
    relation normal: user
    relation admin: user
    
    permission update = admin
    permission member = admin + normal
}

Option 1: wildcards

definition part {
    relation owning_team: team
    relation whitelist: user | user:*
    
    permission write = (owning_team->member & whitelist) + owning_team->admin
}

When the part is created, the whitelist would need to be created with the wildcard for all users by default. This is a drawback. When we want to use the whitelist to restrict a part, we remove that wildcard relationship and add the whitelisted users as whitelist relationships. Option 2: denormalize relationships and caveat

definition part {
    relation owning_team_admin: team
    relation owning_team_unrestricted: team with is_unrestricted
    relation whitelist: user
    
    permission write = (owning_team_unrestricted->member & whitelist) + owning_team_admin->admin
}

The drawback here is that we need to denormalize the data have duplicate relationships. Is there a better way of doing this?

also, I'm new to spicedb, so general feedback on how I've structured the schema is appreciated

relations will generally be better able to take advantage of caching than caveats

as for the question of the wildcard needing to be written, that sounds sane to me, even if it's a little cumbersome - you're still going to be checking "does the user have access to this object?" and i'd personally want that to be an explicit "yes" that's captured by a relation