10/28/2022, 1:39 PM
Hey to add on a bit on this use case. The question we want the authz system to answer is "Does user X have permission Y on resource Z?" In this system a role defines a set of permissions. A user can then be bound a role on a resource. Permissions, roles and resource are not known beforehand by the authz system. We want these to be fed to the authz dynamically and not have to update the schema anytime a new permission/role is added. I'm having a hard time modeling this dynamic permission resolution in spicedb. My attempt is available on this playground but as you can see in the assertions that I cannot answer the original question in a single assertion "Does user X have permission Y on resource Z?" In the linked playground what I would like to assert is that for a given resource both the user and the permission relationship exists. Would really appreciate any input if what I'm trying to achieve is possible and/or if I need to re-think the model.