https://authzed.com logo
Join Discord
Powered by
Hey guys, how's it going?
# spicedb
t
Hey guys, how's it going? I have an use case in which I would like to disable some permissions based on a boolean flag. Let's say I have permissions on a company entity.
Copy code
definition company {
  relation create_employees: role#member
  permission create_employee = create_employees
}
I would like to disable some companies from my system and make sure no permissions for that company are allowed. It would be a very small part of them I was wondering if I should use this pattern: https://authzed.com/docs/spicedb/modeling/attributes#self-relationships Does this pattern provide a big performance overhead? Or not really? Is it the recommended way of doing this?
y
self relations are a good way to model boolean logic, and they don't carry a large performance overhead other than making your schema one layer deeper (one more arrow to walk). for what it's worth, i'd still recommend modeling this additively - rather than writing a relationship that subtracts the permission for the entities for which it's disallowed, write a relation on all of the entities for which it's allowed instead
it's a larger storage overhead, but it should have better performance characteristics, because a negation requires resolving all of the relations on both sides of the 
-
before evaluation, which isn't true of phrasing it positively
it's also better from the perspective of failing closed
t
That would be my second question hahaha Thanks for the tip!
PreviousNext
Powered by