when you say "access" are you talking about at check time or when you go to modify a user's access to give them additional access? ------------------------------------ right now i am working on spicedb playground only so i am checking it as assertion , so when i say access its at check time look this is my spicedb schema https://play.authzed.com/s/FqZKmEUjvO7L/relationships --------------------------------------------------------------------- definition platform { relation client: tenant relation members: user permission can_access = members + client->can_access } definition tenant { relation advertising: ad_account relation members: user // Renamed permission to follow best practices permission can_access = members + advertising->can_access + advertising } definition ad_account { relation branding: brand relation members: user relation tenant: tenant // Renamed permission for consistency permission can_access = members + branding->can_access } definition brand { relation modules: module permission can_access= modules } definition module { relation planner: user relation viewer: user relation approver: user relation admin: user permission view = viewer + planner + approver + admin permission edit = planner + admin permission approve = approver + admin permission delete = admin permission create = planner + admin } definition user {} and relation // Assigning tenants to the platform platform:sphere#client@tenant:tesco-uk platform:sphere#client@tenant:foodstuffs-nz platform:square#client@tenant:tesco-uk // Assigning Ad Accounts to a Tenant tenant:tesco-uk#advertising@ad_account:TUK-dove tenant:tesco-uk#advertising@ad_account:TUK-dove // Assigning Brands to Ad Accounts adaccount:TUK-dove#branding@brand:dove // Assigning Modules to Brands // brand:dove#modules@module:insights brand:dove#modules@module:insights brand:dove#modules@module:measurement brand:dove#modules@module:booking // Assigning Users to Ad Account (Users must belong to an Ad Account) ad_account:TUK-dove#members@user:josh ad_account:TUK-dove#members@user:ram ad_account:TUK-dove#members@user:shyam ad_account:TUK-dove#members@user:ravi // Assigning Users to Roles in Modules (Role-Based Access) module:insights#planner@user:josh module:measurement#viewer@user:ram module:booking#approver@user:shyam module:insights#admin@user:ravi ------------------------------------------- that user issue with the platform is also there ---------------------------------------------------------------------