SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi all!

I'm relatively new to SpiceDB, and am trying to model a specific scenario but can't quite figure out how. 

I have a resource called `vendor`. I would like to add a permission called `edit` to the vendor, which should be true for an admin on the tenant, or an owner on the vendor, but only when the vendor is `custom`. This is what the model currently looks like: 
```
definition vendor {
    relation tenant: tenant
    relation owner: user

    permission view = tenant->view
    permission change_status = tenant->admin + owner
    permission edit = tenant->admin + owner //only when the vendor is custom
}
```
I believe that I need a caveat like this, but I'm not sure:
```
caveat is_custom_vendor(is_custom bool) {
  is_custom == true
}
```
Any ideas? Will I need to offload the `is_custom_vendor` check to the application? If not, how should I model this?