Hey guys, I'm new here and got a question! We've modeled our access management logic and figured out that SpiceDb might be the right thing to use, but we struggle with achieving some stuff. We've had already a few schemas, so that we know it's possible to get it right, but we lack some idea how to manage few things. The idea: We are building multi-tenancy solution for Users. User has default Tenant, but can also be invited to other Tenants. There are Modules, to whom each Tenant may have access, and some not. Those Modules have a different roles, specific for each Module. User can have a Role assigned at some Module, but for a single Tenant (i.e. User's default/main Tenant is 'CitiBank', but can be guest at 'BCG', 'CitiBank' and 'BCG' both have access to Module 'Payments', but the User has access in CitiBank at role 'Operator' but at 'BCG' is in role of 'Auditor'). But can't access it if the Tenant does not have access to Module, so these two rules + role need to be set. The goal: We want to have a single-source-of-true, so we also want to be able to query SpiceDb to get the list of the Tenants, Modules assigned to Tenant, Levels for each Module, Users assgined to Tenant (default and guest), and also for each User be able to define what are the User Roles are set for each Module. To give you better picture, we've created diagram describing the relationships. We have a few schemas already created, that lack some of the business requirements so far, so I would like ask you guys if you have idea how to manage that in a proper conventional way, so we can easily call the spicedb to retrieve all of the data, by setting right relationships and permissions. Many thanks for your input! https://cdn.discordapp.com/attachments/844600078948630559/1285887685449220136/lhu_authz.png?ex=66ebe7ba&is=66ea963a&hm=e388ca7579562afe527288d02d51bad282468294b4626fd7aeed054e3c41fb28&

👋 So the idea is that you can only be granted one role per tenant over a module? This cannot be enforced at the schema level, the application will have to enforce it when writting relationships. This can usually be done with write preconditions. How does the application decide "in behalf on which tenant is the user acting". It sounds to me that users wear "multiple hats", so they are almost like different logins or "sessions": eg Joey is now acting in behalf of CitiBank. They would have a selector in the UI, or something along those lines. To me this sounds like you need to treat that concept, "user with a hat", as the subject type of the application. Otherwise if you use users with roles assigned, it will be additive (the sum of all tenant roles). Once that's clarified, I think it would be relatively easy to model. It's more the realization that the user, as a concept, does not work unless you add the "active tenant" to the mix.

Hey @vroldanbet, thanks for reply! So, yes, we're aware of the fact that we can't enforce one role per tenant in a module, that's going to be done on our side. Yes, precisely, we do have an option to set "current tenant" during the session, so when we ask for permission we provide the tenant as a parameter. We do have a few schemas, but it's also important that we can clearly get the permissions of the user for the tenant's modules by 'read' command on zed. We have managed to model it, but it did not meet criteria when it comes to getting the user's permissions.

>we do have an option to set "current tenant" during the session, so when we ask for permission we provide the tenant as a parameter. Then on top of the user you need another subject that will carry this information. E.g. you could have the ID be the concatenation of the tenantid and the user id >get the permissions of the user for the tenant's modules by 'read' command on zed. Can you please clarify this?

ReadRelationships

does not compute any permissions, it only reads the relationships. Can you formulate what the use-case is?