Hi there 👋 When defining permissions using the provided [operations](https://authzed.com/docs/spicedb/concepts/schema#operations) I was wondering if there are any performance implications per operation. For example, is

exclusion

perhaps (generally) more expensive to compute than

union

for certain operations like

lookup-resources

etc? I'm thinking about "best practices" when defining permissions; like having smaller permissions and combining them via

union

vs using the

exclusion

operation more frequently etc.

Hey 👋 yeah intersections and exclusions are more expensive than unions, so if you can model something only through unions, that will help with performance. Another aspect is where in the schema do those intersectiosn and exclusions reside. The schema describes a graph, if you consider an example where it forms a tree (no cycles), then the higher close to the root that intersection/exclusion is, the more expensive it will be to compute, so moving those intersections closer to the leaves of the tree help with perf as well.

Thank you for this info! If I understand correctly, it depends mostly on the height of the tree, right?

yes, and how wide relationships are (e.g. number of relationships on a single

relation

)

A little follow up question 🙂 When does a permission definition have most impact on costs/performance? For example: if i define a permission (let's say via union of others), but never use it in any query, would it incur costs when inserting data nevertheless? Or only when I query for it?

it only has impact at query time

Nice, thank you!