Hi, I am trying to model the following scenario using SpiceDB: 1. A

user

has a

user_role

that grants them permissions to all resources of a certain type within a

vhost

(a customer/tenant in a multi-tenant system). 2. A

receivable_invoice

is a resource type that can either be a charge or a credit based on its attributes. 3. A

user

should only have access to update a

receivable_invoice

that is a charge if they have the

charge__write_without_delete

permission. Similarly, they should only have access to update a

receivable_invoice

that is a credit if they have the

credit__write_without_delete

permission. I was able to accomplish this with the following schema using caveats, but I'm curious if there is a simpler way to achieve this. This schema requires tuples written like

receivable_invoice:all#charge@vhost:vhost1[is_charge]

even though this relation should exist for all vhosts, since it is just accomplishing the caveat logic.

caveat is_charge(charge bool) {
    charge == true
}

caveat is_credit(credit bool) {
    credit == true
}

definition user {}

definition user_role {
    relation member: user
}

definition vhost {
    relation charge__write_without_delete: user_role#member
    relation credit__write_without_delete: user_role#member
    
    permission has__charge__write_without_delete = charge__write_without_delete
    permission has__credit__write_without_delete = credit__write_without_delete
}

definition receivable_invoice {
    relation charge: vhost with is_charge
    relation credit: vhost with is_credit

    permission update = charge->has__charge__write_without_delete + credit->has__credit__write_without_delete
}

Appreciate any tips you have, thanks!