another example might be to restrict access if the user is not within a specific IP range (or is):

caveat ip_allowlist(user_ip ipaddress, cidr string) {
  user_ip.in_cidr(cidr)
}

definition user {}

definition resource {
  relation viewer: user with ip_allowlist
  permission view = viewer
}

in this case, you could write the

cidr

alongside the relationship:

resource:someresource#viewer@user:someuser[ip_allowlist:{"cidr": "1.2.3.0"}]

and then pass the user's current

user_ip

in the

CheckPermission

request