Given this simple schema... 1. Is it possible to simplify the

group#owner | group#member

into something like

group#*

? Is this catchall not recommended? 2. I'm modelling public vs private in the application logic/db, is there a pattern for this in spicedb? 3. For public groups, I'd like to allow any user to join/leave. Is this something that can be modelled in spice? 4. I'd like non-members to be able to view public groups. Should I add

user

to the

read

permission?

definition user {}
definition group {
  relation owner: user
  relation member: user

  permission write = owner
  permission read = member + write
}

1. no, but you can add a permission that's the union of the two and then arrow to that permission from another object. (reading this after i wrote it, i'm not sure this is actually a functional alternative; there isn't wildcard/catchall behavior in the way you're describing.) 1. subject wildcards (

user:*

) are typically the way that you say something is "public" 1. sure, have a join (and/or leave) permission on the group and phrase it in terms of the aforementioned subject wildcards for the last part:

definition user {}

definition group {
  relation owner: user
  relation member: user
  relation public: user:*

  permission write = owner
  permission read = member + public
}

and then you'd write a

public@user:*

on the group to make it public

Is there a way to model super users minimally, or is it typical to make a

definition superuser {}

and add it to the relations on every resource?

when i've done it i've used a

definition platform {}

object

Came across the examples repo list night, saw the superuser based on platform there