https://authzed.com logo
Join Discord
Powered by
hey! apologies - more modeling questions around at...
# spicedb
d
hey! apologies - more modeling questions around attributes. https://play.authzed.com/s/pqFVWEjV-16N/relationships
this is meant to be a small example of a larger pattern I'm having challenges expressing with attributes/having
looking at those relations; I'm trying to spell that e2erefapp with detail foo should only be able to access 
someresource
and 
demo
with detail 
foo
should only be able to access 
another
I've definitely modeled this wrong; as this is essentially taking the union of all details and allowing them to either resource
to state the goal slightly differently - I'm trying to attenuate access to a given resource by the attributes of the caller's identity
j
have you seen the caveated relationships proposal?
seems like a really good fit for what you're trying to do
d
it does feel close
though it seems slightly different in that the caveats are on the specific relation itself
rather than on an aggregate of the relations (apologies if that sounds like non-sense)
j
if you're trying to figure out why something is resolving in a way you're not happy with, you can always add the intermediate steps as Expected Relations and run re-generate: https://play.authzed.com/s/SCQzeOFUnEL5/expected
d
oh neat, I'd not done that. thank you
j
in this case, wouldn't you just write: 
deployment/resource:another#app@deployment/app:demo[appDetail=="foo"]
or some such
d
oh wow, if that is possible
j
it would be with caveats
d
then that would be a significant simplification
especially if those caveats could be combines
that would be exactly what I need
j
yeah, check out the proposal, and leave any relevant comments/requirements about your use case
we would like to get started on it after we sort out a few things for authzed.com
d
this has been our primary modeling barrier so it would be extremely useful to us; if you'd like use-cases etc I'm happy to chat about them as well
I in no way mean to pester you on this either but given its important to my spike I've got to ask 😄 do have an approximate timeline for when you expect to start/finish implementing the proposal?
PreviousNext
Powered by