Hey to add on a bit on this use case.
The question we want the authz system to answer is "Does user X have permission Y on resource Z?"
In this system a role defines a set of permissions.
A user can then be bound a role on a resource.
Permissions, roles and resource are not known beforehand by the authz system. We want these to be fed to the authz dynamically and not have to update the schema anytime a new permission/role is added.
I'm having a hard time modeling this dynamic permission resolution in spicedb.
My attempt is available on this playground https://play.authzed.com/s/FaqdSzB7NtZ2/schema
but as you can see in the assertions that I cannot answer the original question in a single assertion "Does user X have permission Y on resource Z?"
In the linked playground what I would like to assert is that for a given resource both the user and the permission relationship exists.
Would really appreciate any input if what I'm trying to achieve is possible and/or if I need to re-think the model.