SpiceDB looks interesting. Authorisation/permissions has been a difficult problem in a few systems I have worked on. The one thing that I'm not really convinced on is centralising complex permissions. At some level, it becomes very hard to separate what is a 'permission' and what is 'domain business logic'. In most distributed systems, encapsulation is considered one of the most important principles. If your permissions systems are complex, then your shared permission system becomes a complex monolith combining the complexity of all other systems. Perhaps I'm thinking about this the wrong way though? It seems at the very least, that relationships and permissions should be only written from a limited set of places. 'Almost a permissions for permissions'.