**modelling separate view and admin_view
# spicedbc
Conviley
09/22/2025, 1:48 PMmodelling separate view and admin_view permissions
Imagine you have a multi-tenant application where organisations can have multiple projects and a bunch of sharable resources with CRUD permissions under those projects. Organisation members work in projects but organisation admins can view all projects. To not bloat the project listing page for admins you want the option for them to toggle and only list those project which they have created, or directly/via group membership been made a
viewerConviley
09/22/2025, 1:57 PMThe only alternative i've thought about how to solve this is creating a duplication of all CRUD permissions prefixed e.g. with
admineditadmin_editviewadmin_viewy
yetitwo
09/22/2025, 2:13 PMwhat you're describing sounds sane to me
yetitwo
09/22/2025, 2:13 PMi'm not sure what the alternative would be
yetitwo
09/22/2025, 2:14 PMi guess if we had something like https://github.com/authzed/spicedb/issues/1317 for checks as well it would let you supply the organization relation as a filter
yetitwo
09/22/2025, 2:15 PMbut as it currently stands, adding admin variations and then checking those specifically is the way i would go
yetitwo
09/22/2025, 2:15 PMif you just want to break things up, you could use the
partialc
Conviley
09/23/2025, 9:18 AMOkay thanks for the sanity check 🙏
Conviley
09/23/2025, 9:19 AMyeah that issue details something very requested, looking forward to the day it comes! 😄
s
sp132
10/02/2025, 8:33 AMWe had a similar scenario and solved it like this:
definition core/group {
relation system: core/system
relation owner: core/user
relation member: core/user
permission view = system->view_groups + owner + member
permission membership = owner + member
}
Direct memberships are queried via the
membershipview6 Views