SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

on the user-defined roles, say you have a user that wants to create a role but you want the user to only add permissions they themself have. 
`
definition location {
    relation administrator: user | role#member
    relation devices_viewer: user | role#member

    permission admin = administrator
    permission view_devices = devices_viewer + admin
}

definition role {
    relation member: user | role#member
}
`
so for example, the user has the `administrator` relation with a location and wants to create a role with the `view_devices` permission through the `devices_viewer`  relation, but since they don't have the `devices_viewer` relationship but have the `view_devices` permission, how do we check that the user can grant the role the `view_devices` permission through the `devices_viewer` relation which would ultimately grant the role the `view_devices` permission?