Hi everyone! I'm working on an authorization model similar to Google Drive, with entities like tenants, folders, and documents, and need to apply conditional permissions based on attributes. Here’s my current schema:

definition user {}

definition tenant {
relation member: user
relation admin: user
relation owner: user

permission retrieve_all_folders = admin + owner
permission update_all_folders = admin + owner
permission delete_all_folders = admin + owner
}

definition folder {
relation tenant: tenant
relation parent: folder
relation owner: user
relation viewer: user
relation reviewer: user
relation editor: user

permission retrieve = tenant->retrieve_all_folders + parent->retrieve + viewer + reviewer + editor + owner
permission update = tenant->update_all_folders + parent->update + editor + owner
permission delete = tenant->delete_all_folders + parent->delete + editor + owner
}

I also have an attribute

tenant_access

(a database column) that controls folder access for tenant members with 3 levels:

no_access

,

view_only

,

editor

.

Admin

and

owner

always have full access, regardless of

tenant_access

, while

member

permissions depend on the

tenant_access

value. My problem is applying these conditional permissions efficiently in SpiceDB. I considered using caveats, but they only apply to relations, so I thought about creating 3 specific relations for each enum value and managing access that way. Alternatively, I thought of omitting caveats and using relationships managed by my application code, creating a relation like

folder#viewer@tenant#member

when

tenant_access

is set to

view_only

, and so on. But I’m concerned about managing edge cases manually and writing many relationships. I want to have a clear schema that describes all such intricacies in an explicit way rather manage it through relationships. What’s the best practice for handling these conditional permissions in SpiceDB? Thanks!