Hi, I have a schema question and I think
# spicedbs
StardustCoyote
04/09/2025, 2:20 PMHi, I have a schema question and I think I'm misunderstanding the documentation. I have a permission scenario about forms that's something of a truth matrix:
1. I need to check that the user is able to view the form's data. I think i have this figured out based on the schema
2. a form is always "about" someone in my use case. I need to also check that the user is permissioned to read data about that person
For example I have form ABC about user Alice. Form ABC uses template 1. Bob has permissions to read template 1, so he can read form ABC. But bob may or may not have permission to read data about Alice. I'm ..not entirely sure how to model the 2nd half.
so my schema looks like this (abbreviated)
definition group {
relation direct_member: user
relation view_groups: group
permission member: direct_member
}
If bob is a member of a group, and the view_group ties to the group alice is in, he should be able to view her data. (I'm not convinced this is the right relationship at all)
definition template {
relation read_data: group
permission read = group->member
}
definition form {
relation about: user
relation form_template: template
permission can_read_data: template->read & ????
}
I've rolled this custom in a postgres database but..we're evaluating authzed to solve a lot of the home-rolled issues.
y
yetitwo
04/09/2025, 2:35 PMone thing to keep in mind as you're figuring out how to phrase schema is that a permission expression is not a boolean expression - it's describing a set, and the permission check evaluates to true if the set is nonempty
yetitwo
04/09/2025, 2:39 PMi'm having a think on this case
yetitwo
04/09/2025, 2:56 PMyetitwo
04/09/2025, 2:57 PMwhat the set part means in practice is that for phrasing this logic, you need the left and right side of your intersection to refer to sets that include the same user
yetitwo
04/09/2025, 2:57 PManother thing to keep in mind is that it helps to think about a permission chain as being a walk from an object to a subject
s
StardustCoyote
04/09/2025, 2:58 PMi think i see what you are saying. i've gotten my logic backwards in terms of how to look at the second half.
y
yetitwo
04/09/2025, 2:58 PMyeah, exactly
yetitwo
04/09/2025, 2:58 PMwhich is something that i tripped on a lot when i was first getting my head wrapped around modeling
s
StardustCoyote
04/09/2025, 2:58 PMi'll go tinker with this, thank you so much (i need to ...wrap my head around it)
y
yetitwo
04/09/2025, 2:58 PMand in this case it feels a little weird to have relations pointing away from a user, but that's how the walk needs to be constructed
yetitwo
04/09/2025, 2:59 PMyou also need to be careful when you've got relations pointing away from your normal subject, because you have a potential to introduce cycles in the data
yetitwo
04/09/2025, 2:59 PMwhich will then cause recursion depth exceeded errors in SpiceDB
s
StardustCoyote
04/09/2025, 2:59 PMhonestly that's reassuring to hear from someone who works there! i know sql more than a little but i've been struggling to flip my thinking into this way of modeling. and definitely.
y
yetitwo
04/09/2025, 3:00 PMyeah, when i was learning i found it was helpful to look at examples and try to grok how they worked
yetitwo
04/09/2025, 3:01 PMand i've also found that doing tdd-style development of a schema using the assertions can be helpful, because figuring out how to phrase the assertions can help you realize important things about how your schema has to be structured
s
StardustCoyote
04/09/2025, 3:01 PMi will definitely take that advice as i'm not the biggest fan of TDD in other contexts (not to start a holy war) but that makes sense to use it here!
StardustCoyote
04/09/2025, 3:02 PMthank you again!
y
yetitwo
04/09/2025, 3:02 PMsure thing!
5 Views