Modeling a grant by email address
# spicedba
assaf
06/02/2025, 2:55 PMš Hi everybody! š
I'm building a permissions system based on SpiceDB, and would like to support API clients to share an artifact with others using email address (pretty unremarkable). Now, normally that relationship is to an entity with a UUID as its stable identifier, but that may not exist if a user is sharing an artifact with a user that's never logged into our system.
ā Is there an established pattern for modeling this problem, of sharing to an identifier that doesn't exist yet?
assaf
06/02/2025, 2:57 PMI can see multiple solutions to this:
1. Just create an account with a UUID upon the share operation, and associate it with the email address as the authn mechanism. Doesn't involve SpiceDB at all.
2. Model the email as a different definition in the SpiceDB schema, and create the relationship between it and the artifact. Once the user signs up, create a relationship between the user account and the email.
3. Caveats??
y
yetitwo
06/02/2025, 2:57 PMmy initial impulse is to add another definition to the system that represents those shares
yetitwo
06/02/2025, 2:57 PMsecond one is how i'd do it
yetitwo
06/02/2025, 2:58 PMat least at first blush
yetitwo
06/02/2025, 2:58 PMi'd definitely consider #1, but i'd be weighing its complexity/difficulty
a
assaf
06/02/2025, 2:58 PMmodulo the issues with email addresses, obviously
https://authzed.com/docs/spicedb/modeling/representing-users#what-about-e-mail-addresses
assaf
06/02/2025, 2:59 PMcan caveats help here @yetitwo ?
y
yetitwo
06/02/2025, 3:01 PMi wouldn't reach for them, no. the general rule of thumb is that if something can be modeled with a relationship it should, and this can definitely be modeled with relationships.
3 Views