Hi! I have a use case that I'm wondering if it's possible to express in Zanzibar/SpiceDB at all.
First of all, we're a SaaS, let's simplify and say we have a single resource, Report.
Our tenants have users, and those can be assigned to (customizable) Roles. (Users have optionally managers, which are other users)
Our tenants can create Reports that are isolated from other tenants.
Roles are created and configured by the tenant admin, and they can be configured in a variety of ways such as:
* Members of this role can View any report within their tenant.
* Members of this role can Edit reports that they own.
* Members of this role can Edit reports that they own, plus reports owned by anyone they manage directly or indirectly (i.e. recursively).
* Members of this role can Delete reports owned by anyone they manage (but not their own reports).
Etc etc. In general any role can configure View, Edit and Delete permissions on Reports, orthogonally with the "target": ("only their own" and "only those owned by anyone they manage")
A user can belong to many roles as well, so flexibility is maximal. However I'm not sure this is expressible in Zanzibar. Does anybody have an idea on how to model this?