SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

With the schema below, is it possible to enforce the following constraints?
1. Create a user group that is a member of only one org
2. Members of user group must always be members of the org

Or it is something that need to be done outside of SpiceDB?

```
definition app/user {}

definition app/org {
    // relations
    relation member: app/user
    relation admin: app/user

    // permissions
    // org
    permission membership = member + admin
}

definition app/user_group {
    // relations
    relation org: app/org
    relation member: app/user | app/user_group#member
    relation admin: app/user | app/user_group#member

    permission membership = member + admin
}
```

Also how do you decide if org should have a relation on group(see below) or group should have a relation on org(above)? 

```
definition app/org {
    // relations
    relation group: app/group
}
```