SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi, I wasn't sure how to name this thread. But let me explain my concern. A user can_view an "*agreement*". An "*agreement*" is linked to a "*bankaccount*". Some user cannot view some "*bankaccount*" linked  to an "*agreement*".
At first I thought to model "*bankaccount*" as a resource and model a permission on it. But then I thought I may only model "*agreement*" as a resource and define two permissions: *can_view_agreement * and *can_view_agreement_and_bankaccount*. Obviously, if a user *can_view_agreement_and_bankaccount *he *can_view_agreement *as well.
Eventually I want to show a list of *agreements *a user *can_view *with, on the same line, the *bankaccount *if he can view it as well.
WDYT?

you can use the `&` operator to define a permission as requiring a set of other permissions/relations

it would also help if you put together a playground that got at what you're trying to do

and while deciding the granularity of your permission system is always an interesting design problem, if you think that you're going to need to express the idea that a user should be able to view some subset of either agreements or bank accounts, it probably makes sense to model them as separate definitions