Hi everyone, I am new to spiceDB and SpiceDB #spicedb

Hi everyone, I am new to spiceDB and

bharath3166

09/01/2025, 10:19 AM

Hi everyone, I am new to spiceDB and stuck while creating a schema. definition user{} definition organization { relation admin: user relation member: user relation application: application permission org_members = admin + member permission org_admin = admin } definition application{ relation admin: user | organization#admin relation member: user | organization#admin relation org: organization permission users = member + admin + org->org_admin permission full_access = admin + org->org_admin } Test Relationships organization:foo#admin@user:u1 organization:foo#member@user:v1 organization:foo#application@application:bar organization:foo#application@application:bar1 application:bar#admin@user:u2 application:bar#member@user:u3 application:bar#member@user:u4 Expected relations application:bar#full_access: [] application:bar#users: [] organization:foo#org_members:[] when i check application:bar#users: [] it doesnot show organization admins in it. I don't know where am going wrong

vroldanbet

09/01/2025, 10:59 AM

Hey 👋 When sharing your schema, it's easier for troubleshooting if you share a playground link. You can click on the share button and paste the URL.

vroldanbet

09/01/2025, 11:00 AM

You don't have any link between the application and the organization, hence

permission users

application

unable to traverse to

organization#admin

vroldanbet

09/01/2025, 11:01 AM

You need to add

application:bar#admin@organization:foo#admin

vroldanbet

09/01/2025, 11:01 AM

this means

every admin of the organization foo is also an admin of application bar

bharath3166

09/01/2025, 11:37 AM

Thanks @vroldanbet that solved the issue. I saw the share feature now, will use it next time.😁

bharath3166

09/03/2025, 4:50 AM

https://play.authzed.com/s/nU8DFNSfo8Sx/expected hey I ran into another issue. Above is the link for my schema and test relationships. What I am trying to achieve is i have defined a few policies and those policies are attached to a role. I have bound some users to that role, but when i check which users has access to that policy, it's returning empty array. Can anyone help

vroldanbet

09/03/2025, 10:19 AM

Can you please write the assertions you expect in the playground link? (you need to export URL again after modifying)

bharath3166

09/04/2025, 6:52 AM

Hi @vroldanbet , this is the new link with assertions https://play.authzed.com/s/kBPB5Cq3OFB8/assertions I have also added comments against each assertion explaining y I think it should be true

vroldanbet

09/04/2025, 10:03 AM

the assertions seem to run correctly?

bharath3166

09/04/2025, 10:46 AM

i wan the false parts to return true actually,

vroldanbet

09/04/2025, 11:35 AM

then please add those in the correct assertion, otherwise the reader is confused

bharath3166

09/05/2025, 9:22 AM

bharath3166

09/05/2025, 9:23 AM

updated playground link https://play.authzed.com/s/mFqFSkNsGsmq/assertions

vroldanbet

09/05/2025, 12:21 PM

there is no relationship that creates a connection up to the org admin

vroldanbet

09/05/2025, 12:22 PM

- the policy:geocode_api misses the

belongs_to

, which links it with an application - then the application needs to be linked with an organization to be able to reach to the org admin

vroldanbet

09/05/2025, 12:23 PM

if you add

policy:geocode_api#belongs_to@application:apihub

, then it works

vroldanbet

09/05/2025, 12:24 PM

I used zed terminal in the playground to do an

--explain

and visualize what was happening

vroldanbet

09/05/2025, 12:24 PM

Copy code

$ zed permission check policy:geocode_api access user:bharath --explain
false
⨉ policy:geocode_api access (800µs)
└── ⨉ policy:geocode_api attached_to (300.032µs)




$ zed permission check policy:geocode_api access user:bharath --explain
true
✓ policy:geocode_api access (2.200064ms)
├── ⨉ policy:geocode_api attached_to (0s)
└── ✓ application:apihub full_access (1.299968ms)
    └── ✓ application:apihub admin (899.84µs)
        └── ✓ organization:onze admin (199.936µs)
            └── user:bharath

bharath3166

09/09/2025, 4:41 AM

thank you

bharath3166

09/09/2025, 6:04 AM

I am using the go client library, how do i write the following relationship to spiceDB? application:apihub#admin@tenant:onze#admin I followed https://authzed.com/docs/spicedb/getting-started/protecting-a-blog this as well request := &pb.WriteRelationshipsRequest{Updates: []*pb.RelationshipUpdate{ { // tenant onze admin is a admin on application apihub Operation: pb.RelationshipUpdate_OPERATION_CREATE, Relationship: &pb.Relationship{ Resource: &pb.ObjectReference{ ObjectType: "application", ObjectId: "foo", }, Relation: "admin", Subject: &pb.SubjectReference{ Object: &pb.ObjectReference{ ObjectType: "tenant", ObjectId: "bar", }, }, }, }, } how do i add that i want to define that relation on tenant admin rather than tenant

vroldanbet

09/09/2025, 10:25 AM

@bharath3166 you'd set

admin

as the

OptionalRelation

, which is a field in

SubjectReference

bharath3166

09/09/2025, 10:37 AM

thanks @vroldanbet.

bharath3166

09/23/2025, 9:21 AM

Hi @vroldanbet . I am not understanding y my assertion is failing. Can you help me please? https://play.authzed.com/s/eoNoF6H1oSwQ/assertions

2 Views

Previous Next