SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

one thing that may help is the `--explain` flag on `zed` calls - it can show you the path by which a user was (or wasn't) granted access. i don't think it will compare it to the entire schema as it's currently implemented - it will only tell you where the path starts and ends.

otherwise my usual approach is to manually trace based on reading the schema and issuing readrels to check hops. this could be a nice enhancement for zed, though.