Hi, I couldn’t find a clear understanding of this, could you help me or point me to some documentation on how to use it correctly? I’m trying to: 1. Find all users who have permission to read any posts. 2. Find all posts that can be read (though I’m not sure if this is possible). I’m using

lookup-subjects

and

lookup-resources

with a simple schema from tutorials:

zed schema read
definition user {}
definition post {
    relation reader: user
    relation writer: user
    permission read = reader + writer
    permission write = writer
}

I have only one user and one post:

zed relationship read post writer
post:1 writer user:emilia

When I run lookup-subjects, I can successfully find `emilia`:

zed permission lookup-subjects post:"1" read user
user:emilia

However, when I try using a wildcard

*

, which seems to be allowed based on the request format

"^(([a-zA-Z0-9/_|\-=+]{1,})|\*)$"

, I get nothing:

zed permission lookup-subjects post:"*" read user

For

lookup-resources

looks like it doesn’t seem to support this type of query:

zed permission lookup-resources post reader user:"*"
rpc error: code = InvalidArgument desc = invalid argument: cannot perform lookup resources on wildcard

Is there a way to achieve what I’m trying to do, or are these queries not supported? Any guidance would be greatly appreciated! Thanks!

there explicitly is not a notion of an object wildcard in spicedb

Thanks for your response @yetitwo! Could you clarify what you mean by "synthetic"? Do I need to refer the user with an ID * that connects all posts? Here's my use case: I have a user and some critical operations, such as sending money. The rules for sending money can vary. I want to understand who is currently allowed to send money and how to implement this effectively. Simple schema looks like this: I added a caveat to understand how it works, but it seems like this might not be the best way to use it..

definition user {}

definition group {
    relation members: user
}

caveat only_owner_allowed(allower_user_id string, user_id string) {
     allower_user_id == user_id
}

definition account {
    relation money_sender: user with only_owner_allowed
    relation owner: user
    relation admin: user | group#members
    relation viewer: user | group#members

    permission view_stats = viewer
    permission block = admin 
    permission can_withdraw = money_sender
}

My goal is to understand the correct way to grant a user permission to send money. One approach I’m considering is creating a

money_sender

group and checking if the user belongs to it

group:money_sender#in@user:123

. However, I feel this might not align well with a proper ReBAC approach.

groups are fine under rebac

Thanks! Yes, an account belongs to a single person, but multiple users can be associated with it. For example, some users may be viewers who can see the person's transactions, while admins may have permissions to manage data changes or adjust access levels

then yeah, i'd express those as different kinds of relations

Thanks! I need to think sometime about how we want to implement it in our system and what is better for us.