Hey everyone! We are trying to add conditional logic in SpiceDB for “shared” files in our system and I am unsure what the most elegant approach to this is. In our data model, each tenant can have multiple divisions, and users can belong to one or more divisions. No data is shared between divisions by default. Users have permissions like division_user within their divisions, which determine their access rights. When a file is shared, we want it to be accessible to all users in the division. Below is a snippet of our schema with an attempt at a solution:

definition tenant {
    relation admin: user
        //...
}

definition division {
    relation tenant: tenant
    relation admin: division_identity
    relation division_member: division_identity
    permission division_user = admin + division_member + tenant->tenant_admin
}

definition division_identity {
    relation user: user
}

caveat is_shared_file(file_path string) {
  file_path.startsWith("/shared")
}

definition files {
  relation division: division
  relation shared_division_user: division#division_user with is_shared_file
  permission select = owner + selector + group->group_reader + group->group_writer + division->division_admim + shared_division_user
}

And in our typescript service, we attach the caveat when a file starts with "/shared":

ts
if (file_path.startsWith('/shared')) {
  relationships.push(
    v1.RelationshipUpdate.create({
      // ...
      relation: 'shared_division_user',
      optionalCaveat: v1.ContextualizedCaveat.create({
        caveatName: 'is_shared_file',
        context: { file_path },
      }),
    }),
  );
}

We're using SpiceDB’s “lookupResources” so users see only resources they’re allowed to select. Any suggestions to ensure that all users with division_user on a division see these shared files? Or if there’s a more elegant approach to let the “division->division_user” group inherit this “shared” permission? Thanks in advance!