SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi, I’ve recently started using SpiceDB, and I’m encountering a challenge. I need to retrieve which resources a user can access for each group. My current approach is as follows:

1. Use `LookupResources` to find the groups the user can access.
2. For each group, perform another `LookupResources` with the `view` permission and the subject `group#member` to determine which resources the group can access.

This approach requires multiple LookupResources calls. Is this a good practice? Or should I consider storing the relationship between groups and resources in a separate database and using SpiceDB solely for permission checks?

For reference, here’s the schema I’m using:

```
definition user {}

definition resource {
    relation manager: user | group#member | group#manager
    relation viewer: user | group#member | group#manager

    permission manage = manager
    permission view = viewer + manager
}

definition group {
    relation owner: user
    relation manager: user
    relation direct_member: user

    permission member = owner + manager + direct_member
    permission manage = owner + manager
}
```