https://authzed.com logo
Join Discord
Powered by
so i'd ask if there's a way to invert
# spicedb
y
so i'd ask if there's a way to invert your modeling so that you're granting users/enterprises/teams access to a feature
u
Features are allowed by default unless restricted at enterprise level or campaign level or user, team level. So the granting you mentioned is by default.
y
gotcha. one way to go is to use wildcards + negation; this is probably the easiest approach to grok and the easiest one to write. it's potentially somewhat expensive to compute, however, because any check that would eventually come back positive is going to have to load all of the relations that would potentially negate the check
i probably wouldn't use caveats* for this
there's also a conversation here that might have some bearing: https://discord.com/channels/844600078504951838/844600078948630559/1359264349142782134 if any of the logic in question is booleanish
u
Thanks! Using wildcard is an option. Will explore more in that angle. Thanks for the other discussion link! Will check that out as well.
y
sure thing!
u
Any example schemas you can send my way that use wildcard and negation?
y
it'd be something to the effect of:
Copy code
definition resource {
  relation all_users: user:*
  relation disabled_team: team
  relation disabled_user: user
  relation disabled_organization: organization
  permission view = all_users - disabled_user - disabled_team->member - disabled_organization->member
}
u
Great! Thank you! This should give some direction.
y
mind that you'll need to write the 
user:*
relation on this resource for the permission computation to work - otherwise it will always be empty
u
Thanks! That makes sense. I will try this in playground further.
4 Views
PreviousNext
Powered by