Hi everyone. I have just started playing on the playground and I was trying to model a fictitious use case and am coming up short. I would appreciate any insights. My use case is: Say I am starting up a new, fresh backend. There is no data loaded. The backend will be API-first, which means I need to be able to authorize the first API coming in. I thought about introducing a superuser account that will be authorized to, say create a user with "admin" permissions. I was then hoping to somehow "disable" the superuser permission directly inside SpiceDB based on the fact that there is now a "real" user with sufficient permissions. So far I have been unable to make this work. Any ideas?

boolean flags can be represented as a relation from an object to itself:

definition user {}

definition platform {
  relation admin: user
  relation superuser_enabled: platform
  permission create_user = admin + superuser_enabled
}

then you'd write:

platform:platform#superuser_enabled@platform:platform

at the start, and remove that relation when the first user is created

Thanks for this explanation. I understand that the superuser relation can be removed later. I was hoping to get it "disabled automatically", i.e. through some rule set inside SpiceDB. But for that one would need to be able to get a Boolean condition, e.g. any_admin_exists, then one would be able to do something like: permission restricted_superuser = superuser_enabled & !any_admin_exists. But of course this is not how things work. Removing the relalation as you suggest is viable of course. I was just hoping to not have to track the existence of that relation in the app. Thanks for the help though!

sure thing!