SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

The query you're sending to spicedb is "Can user U access software S?" , and we want the answer to be "it depends which project you're accessing `S` through" – that sounds like context to me, the (Resource, Permission, Subject) tuple doesn't specify enough info.

One way to hack that extra info in would be treat software under different projects as different software. For example, if two projects share a `TaskManagement` software, you could encode the project into the `software` ID:
```
definition software {
    relation project: project
    relation banned: user
    permission access = project->member - banned
}

software:projA-TaskManagement#project@project:projA // TaskManagement for Project A specifically
software:projB-TaskManagement#project@project:projB // TaskManagement for Project B specifically
software:projB-TaskManagement#banned@user:U // U is banned in Project B only
```
Now the queries have enough info to go off:
```
software:projA-TaskManagement#access@user:U // True
software:projB-TaskManagement#access@user:U // False
```