A question about schema modelling: SpiceDB #spicedb

A question about schema modelling:

teatime 🇩🇰

04/24/2025, 11:55 AM

A question about schema modelling: If a user can become temporarily suspended, how do you incorporate that in a permission check? I know i can model the suspension state itself with a self-relation on the user. But that would require propagating that state on all entities on the path, right?

vroldanbet

04/24/2025, 2:14 PM

not sure what you mean with "propagating to all entities", perhaps an example would help of how you are modeling it. It's pretty common to implement this like

Copy code

use expiration

definition user{}
definition resource {
  relation viewer: user
  relation banned: user with expiration

  permission view = viewer - banned
}

teatime 🇩🇰

04/25/2025, 11:43 AM

in propagation i was thinking of a chain like resource -> folder -> group -> user would end up like this

Copy code

definition user {
  relation suspended: user
  permission is_suspended = suspended
}

definition group {
  relation member: user
  permission is_member = member
  permission user_suspended = member->is_suspended
}

definition folder {
  relation owner: group 
  permission is_member = owner->is_member
  permission user_suspended = owner->user_suspended
}

definition resource {
  relation folder: folder
  permission can_view = folder->is_member
  permission can_edit = folder->is_member - folder->user_suspended
}

vroldanbet

04/28/2025, 2:53 PM

In this specific case I'd put it closer to where the grant is, in this case

group#member

Copy code

definition user {
  relation suspended: user
  permission is_suspended = suspended
}

definition group {
  relation member: user

  permission is_member = member
  permission user_suspended = member->is_suspended
  permission can_view = is_member
  permission can_edit = can_view - user_suspended
}

definition folder {
  relation owner: group 
  permission is_member = owner->is_member
  permission user_suspended = owner->user_suspended
  permission can_view = owner->can_view
  permission can_edit = owner->can_edit
}

definition resource {
  relation folder: folder
  permission can_view = folder->can_view
  permission can_edit = folder->can_edit
}

if with propagation you mean that you need that chain of synthetic permissions in folder and group, yes, that has to be done. There is https://github.com/authzed/spicedb/issues/15 to help with ergonomics associated with that propagation.

teatime 🇩🇰

04/29/2025, 11:12 AM

Thanks, just wanted to check if there was a smarter way 🙂

2 Views

Previous Next