hi there, you are correct that the calling application(s) are responsible, either directly or indirectly, for keeping the relationship data up to date. if you intend to have a unique role/relationship for each document in your system, then yes, you do need to insert/delete those relationships as the referenced resources (or the roles on them, more likely) change, but if you are using an RBAC-like design for your schema, you'd have to apply these role changes anyway; you'd just apply them to SpiceDB/Authzed, instead of to your database. Likewise, if you have a relationship between say, a document and its parent organization, you do have to write/delete those as well, but that should only occur when the document is created or deleted.