SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Upfront: help appreciated! I'm trying to model a scenario in which `users` are members of `projects` and `projects` have `software` available to their members. The twist is ... I would like to add the constraint that the administrator of the `project` can deny specific `users` certain `software` from their project. This would not necessarily mean the user cannot use some software, only that it is forbidden via that project. If they are a member of another project that allow them access this is OK. 

The best I can come up with is https://play.authzed.com/s/Q1bdOcP7jyhY/schema ... in which I require the context information to also contain the software to use and check that in a caveat. It appears what I would really like is that the context automatically contain information about the object (rather than requiring the callee to duplicate that information) ... but I can't see anyway to do that. If anyone has a more concise or relational way to solve this problem (without the schema knowing about all the available software) I'd be very grateful.