Hi I believe you re looking for the Lookup API have a look a

Question

Hi I believe you re looking for the Lookup API have a look at this https buf build authzed api docs main authzed api v1 authzed api v1 PermissionsService LookupSubjects

gvf · Answer

I think that s to check for a specific permission I want to be able to provide a resource and a user and get back all the permissions the user has on the provided resource

Perseus · Answer

sorry for jumping on to this but I m looking for a way to do this as well If there isn t a major tech constraint to do this I d be happy to have a go at having a PR open to do this as well + having a way to distinguish between direct permissions and propagated permissions through some other relation

gvf · Answer

it s surprising it doesn t provide it already

Joey · Answer

its not provided because its not really doable in a performant manner to find all permissions you d have to walk backward to every permission and path in the entire schema

Joey · Answer

if the schema is small and the data is minimal it might work

Joey · Answer

but in any real scale it would take seconds or more

dsieczko · Answer

sorry < gvf> you re right

dsieczko · Answer

there is this issue https github com authzed spicedb issues 613

dsieczko · Answer

< Perseus> ^^

Joey · Answer

note that ^ is a structural reflective walk

Joey · Answer

not a data driven one

Joey · Answer

< gvf> < Perseus> are your permission systems RBAC like or

Perseus · Answer

Yes RBAC like There are multiple possible accessors of any given resource users organizations etc I need to be able to fetch all the permissions that an accessor has on a resource direct and indirect in order to have different states on the UI and expose different actions to the users

Joey · Answer

the recommendation right now is to issue a `check` for each permission in parallel

Perseus · Answer

is there a way to get only a particular subject type s permissions

Joey · Answer

that s what the ^ reflection issue is about

Joey · Answer

being able to say which permissions can this relation or subject type have

Joey · Answer

although now that I think about it we could in theory just combine the two IF you re asking for a particular subject not a subject type overall

Perseus · Answer

not exactly that for example if a user has permissions on resource X and they are also part of an org that has permissions on resource X can I retrieve only the permissions that the user has while not retrieving what they have through the org

Joey · Answer

you d issue a check on the overall permission and the org only one

Joey · Answer

and see if they differ

Joey · Answer

SpiceDB doesn t really know what an org only permission is

Perseus · Answer

gotcha

Joey · Answer

or if you re using an RBAC like schema you could just see if they have any of the roles

Joey · Answer

and if not know its through some other means

Joey · Answer

is the intention to show that a user has an inherited permission

Joey · Answer

user X can access this because they are an admin of org O

Perseus · Answer

not exactly that part is for our discovery layer being able to display content that s been shared with just you vs your org

Perseus · Answer

trying to slowly migrate our existing system over

Perseus · Answer

so that data gets synced to ES to help with full text search etc

Joey · Answer

ah in that case you d want to either define a permission that is just the user and check it

Joey · Answer

or check the just the org permission

Joey · Answer

< Perseus> have you read the tiger cache proposal the intention is to have it produce roaring bitmaps that ES can use

Perseus · Answer

yeah thats what I ended up doing `reader` vs `org reader`

Perseus · Answer

yup i had a look at that unfortunately as it currently stands we wouldn t be able to make use of that since we use mongo and the ids are 96bits vs the 64 that roaring bitmaps support

Joey · Answer

aha

Joey · Answer

yeah I d give a lot for a 128 bit standard roaring bitmap format

Perseus · Answer

unfortunately my schema seems to be getting more complicated as i have to deal with more accessor types with the same edge cases as others haha

Joey · Answer

speaking hypothetically if we added an API that was a check but returned on which relationship s path s the check found the subject had permission would that solve your problem >

Joey · Answer

just thinking out loud

Perseus · Answer

hmm wouldn t I have to make a check for every permission either way and then read the path that it went through unless there was a way to tell the `check` to go through a particular path sorry not completely able to visualize how it d work out

Joey · Answer

in theory we could turn off short circuiting for it

Joey · Answer

but it would be slower

Perseus · Answer

yeah thats what I was thinking I m assuming that parallel checks would be a lot faster

Joey · Answer

likely yes

Joey · Answer

that s why we recommend it right now

Joey · Answer

but we already dispatch each branch of a check in parallel

Joey · Answer

so in theory it could be done in one check

Perseus · Answer

right thats what I was thinking and from what I read the results of each of those branches get cached as well future requests would be a lot faster

Joey · Answer

yep

Perseus · Answer

i can also maintain a secondary cache which gets invalidated based on updates being emitted from the watch service that should help

Joey · Answer

just be careful with maintaining a secondary cache handling arrows is non trivial

Perseus · Answer

gah yeah i m assuming the duration of the cache in spicedb is configurable i vaguely recall reading 5 seconds as the ttl somewhere but I feel like that would be too low

Joey · Answer

its 5s for the quantization window

Joey · Answer

if you use a zedtoken from a previous check for a next check it ll use the cache

Joey · Answer

so long as the entry isn t evicted

Perseus · Answer

ah yeah i need to figure out the correct place to store the zedtoken as well do you usually suggest storing it along with the resource metadata or is something else idiomatic there

Joey · Answer

yes

gvf · Answer

In our case it s not RBAC all users have the same role but we apply rules to some of them Our app serves content to when the user lands on a given page we want to request to the auth system what grants does this user have for this doc it could be title audio pdf agenda summary and so on

Joey · Answer

are these grants represented by `relation`s

gvf · Answer

mhh I m very new to spicedb I don t really know but whatever you suggest is the best option

gvf · Answer

I just started with it today

gvf · Answer

I would say so is there any other option

Joey · Answer

normally no but sometimes its a combination of relations

Joey · Answer

but anyway if they are each represented by a single relation you could use `ReadRelationships` to find them

gvf · Answer

ok I ll try that tomorrow thxs

gvf · Answer

Leaving this here in case anyone is looking for the same I ran this ```zed relationship read tutorial document firstdoc subject filter tutorial user sarah``` and it worked fine

Perseus · Answer

thank you i was able to get the behavior i wanted by readrelationships + keeping a map of relationship to permission in code would not need this once the reflection API comes out

dsieczko · Answer

that s awesome thanks for the update