Hi all! I'm new to SpiceDB and exited to try it out. I'm looking at one of the examples in the playground: "Google IAM in SpiceDB". It models roles in an interesting way. However, not sure I fully get how it works 🙂 For instance, I don't really understand how the granting of a role is specific to a resource. So I added a few additional test relationships:

// Add a second db, instance and project
spanner_database:db2#instance@spanner_instance:instance2
spanner_instance:instance2#project@project:proj2

// Grant admin role to a second user on the second db
role:spanner_database_admin#bound_user@user:specific_db_admin_2
spanner_database:db2#granted@role:spanner_database_admin

Now there are two databases (

db1

and

db2

) that both have the role

spanner_database_admin

granted. And since there now are two users (

specific_db_admin

and

specific_db_admin_2

) that both have this role, both users can access both databases:

spanner_database:db1#drop:
  - "[user:specific_db_admin] is <role:spanner_database_admin#bound_user>"
  - "[user:specific_db_admin_2] is <role:spanner_database_admin#bound_user>"
spanner_database:db2#drop:
  - "[user:specific_db_admin] is <role:spanner_database_admin#bound_user>"
  - "[user:specific_db_admin_2] is <role:spanner_database_admin#bound_user>"

How should the model be changed if I want to grant a role like the

spanner_database_admin

to a specific user on only a specific resource? https://play.authzed.com/s/WsYkHeHJUBqa