Howdy. We're running into issues with our DB load and have narrowed down the permissions causing problems. Here's a simplified schema:

definition user {}

definition organisation {
    relation admin: user
    relation teacher: user
    relation deactivated_member: user
    permission active_staff = admin + teacher - deactivated_member
}

// ID is Org:Subject pair
definition capability {
    relation organisation: organisation // only ever one organisation here
    relation capability_official_content: user:* | organisation:*
    permission capability_applies = organisation->active_staff + organisation
    permission official_content = (capability_official_content & capability_applies)
}

definition subject {
    relation capability: capability
    permission official_content = capability->official_content
}

definition activity {
    relation subject: subject
    relation official_content: user:* | organisation:*

    permission view = subject->official_content & official_content
}

Checking

activity:x#view

seems to blow up our database due to needing to evaluate thousands of

capability

per

subject

. An

--explain

shows that it's evaluating a lot of tuples (the output was ~600kb of text) Logic is: Organisation is granted access to various subjects. Orgs may be granted different capabilities for each subject. A user may be in multiple organisations. Users should only be granted access to activities their current org (contextually) has access to. We're trying to avoid caveats so this involves 2 checks, one for the user and one for the org (hence the additional org wildcards):

activity:a_1#view@user:u_1
activity:a_1#view@organisation:o_1

It doesn't seem like this should be a problem for SpiceDB to handle - do we just need a beefier DB? I don't know if it's related to this issue in particular but our cache hit ratio has also tanked recently, it usually sits around 2:1 but is between 1.2-1.5:1 recently 😱