Hello we are just evaluating SpiceDB for our OS project in the energy grid sector as our authorization solution. Currently we came across some limitations and we don't know if we are missed something in the documentation. Our Scenario is that we have indipendent modules that are part of an overarching platform with low coupling and self contained deployment. Our proposal was that we use a global permission schema like RBAC or ABAC with spiceDB and allow modules to use the global schema or they can come up with their own and it will be rolled out during deployment (see picture). Now we have seen during our tests that the schema can be overwritten our partially removed and we see it as too risky to allow modules to do mistakes witch would have a big impact on the authorization of all other modules. Question: - As there is no tennant or namespace concept but prefixes which seems to go into the similar direction, is it possible to restrict the writing of a schema per prefix based on the used access token? Is there at all a possibility to restrict access to certain API functions on access token level so that we could prevent over-/writing schemas? BR /Marco https://cdn.discordapp.com/attachments/844600078948630559/1304465923142451230/authorization-model-provision.drawio.png?ex=672f7e0f&is=672e2c8f&hm=f4c724285a2dae77643a6646abb2fa0d6dae3be1d1cb941d38dda6069cdadf4b&

Hi 👋 a SpiceDB instance is single-tenant, the concept of prefix is more applicable to the Authzed Serverless offering, but it SpiceDB itself, it's just additional you can add to define logical boundaries in your schema, but there will still be one single schema there is currently no way in the opensource SpiceDB to authorize based on prefixes. This is supported in the managed SpiceDB offering from Authzed. You can do a custom build of SpiceDB and add your own custom middlewares. You probably would be interested in the composable schemas initiative, which is develop to support organizational structures like yours. This is currently under development. See https://github.com/authzed/spicedb/issues/1437 Also API restriction wise: same thing, SpiceDB tokens give access to everything, so the answer is no. The middleware mechanism is extensive if you are willing to do your own custom build of SpiceDB.

Ok thank you.