# spicedb


10/26/2022, 7:17 PM
Hey! Any examples of how to build something liken Google clouds IAM system on top of SpiceDB. The Zanzibar paper mentions that cloud iam is built as a layer on top. Specifically, resources (objects) are modelled as a tree. Roles can be assigned to principals on resouces and apply to all resources further down the tree. Each role is tied to a fixed set of permissions/strings (..). When performing authz you test if a principal has a given permission on a given resource (not if the principal has a role). Its seems that the resource hierarchy could be modelled in SpiceDB, but i fail to see if its possible to detach the role definition from that. All examples seem very explicit. In cloud iam roles can be created on the fly. Linked with permissions and then bound to the resource hierarcy.