SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

Hi everyone, I'm trying to validate the SpiceDB usage in case of my application. And hit some deal breaker for me. Namely, I need to have dynamic roles in my system and they will be related to resources through standard creator/editor/viewer relations. However, most of them will have a specific permission for all objects of specific resource type (e.x. role support can view all offerings, superadmins have all permissions for all resources, etc). I don't want to maintain the relationships due to maintenance reasons and also to not create a redundant overhead. Since wildcards can only be used on subjects I was left with 2 solutions:
- have generic definition for `resource_type` that would enable applying permissions on all objects of type; and specific resource definition if I need more granularity; but this doubles the number of check requests cause to check if I have complete access or granular one to the resource
- have a caveat `matches_all` and use some keyword to represent the all objects of the given resource type (e.x. `all` ) and make check against it first and then against the real id provided; I heard caveats affect the performance and if I associate it with every permission check I'm worried that I'd lose SpiceDB scalability
Is there any other way to resolve my problem? And if not, what mentioned approach would you recommend?