consider the following schema SpiceDB #spicedb

consider the following schema

Conviley

09/15/2025, 12:51 PM

consider the following schema

Copy code

typescript
definition document_database {
    relation project_database: project_database
    relation organisation_database: organisation_database

    permission view = ...
}

definition document {
    relation document_database: document_database;
    relation viewer: user;

    permission view = doucment_database->view + viewer & document_database->project // i tried this but it does not work also it does not make sense. What would it even mean to intersect `viewer` and `document_database->project` it probably becomes empty set?
}

is there some way to express that a user has view permission if they have one of 1. they have

document_database->view

viewer

and not document_database->organisation_database (alternatively

viewer

and the document_database->project relation exists) i.e they have view access only if 1. they can view the database that the document belongs to (trivial just document_database->view) 2. or they are related via `viewers`and the document_database is a project_database. (organisation database documents will not be shared with users who are only `viewer`s)

Conviley

09/15/2025, 1:34 PM

I found a workaround but it's not ideal. It involves creating one synthetic relation and one synthetic permission. one relation to store the set of whatever subject type you are trying to operate with and one to work around lack of nested arrows.

Copy code

typescript

definition project_database {
  relation anyone: user:* // relation holding the entire set of whatever subject type you need to work with
}

definition document_database {
    relation project_database: project_database
    relation organisation_database: organisation_database

    permission view = ...
    permission has_project = project_database->anyone // work around lack of nested arrows
}

definition document {
    relation document_database: document_database;
    relation viewer: user;

    permission view = doucment_database->view + (viewer & document_database->has_project)
}//                                                        ^this becomes a set of users

biggest downside imo to this is that you have to remember to activate the

anyone

wildcard relation whenever a project_database is created :/ if anyone has a better solution i'm all ears 🙂

Joey

09/15/2025, 1:37 PM

the alternative is to write a relationship from the document to itself to "enable" the project

Joey

09/15/2025, 1:37 PM

but it still requires another relationship to toggle

Conviley

09/15/2025, 1:42 PM

hmm i don't quite follow, you mean to create a self relationship? but i would still need to intersect with a set of users . or do you mean to just create the

anyone

relation on the document itself? i.e it could be called

relation can_be_externally_shared: user:*

so the view permission would become

Copy code

permission view = doucment_database->view + (viewer & can_be_externally_shared)

and then just not toggle that toggle for documents that are part of organisation documents?

yetitwo

09/15/2025, 2:06 PM

no, it'd be:

Copy code

relation can_be_externally_shared: document

permission view = document_database->view + (viewer & can_be_externally_shared->viewer)

or something to that effect. that particular phrasing might be recursive in a way that causes bad behavior, but it demonstrates the idea of using a self-relation and then arrowing over it.

Conviley

09/15/2025, 2:51 PM

ah gotcha 👍

Previous Next