at some point you need to define base permissions ...
# spicedb
j
at some point you need to define base permissions to check
s
Hi Joye, I used the example you shared, here is my Schema https://play.authzed.com/s/nKyMjOrVUVvB/schema
Challenge I have with this approach is, I will have to know all possible type of relations to avoid schema change in future. Is there anyway we can make relations also user defined so that no change (or least change) is required in future?
j
why not just add more when you need them?
s
As schema change is sensitive and want to keep the governance overhead as low as possible.
Think, if multiple application using same schema file and using namespace for isolation.
j
still, if you're adding new relations you should be... adding new relations
otherwise you're losing all forms of type safety and optimizations
s
I get your point, but we have varied set of requirements, one way to achieve this I have is, https://play.authzed.com/s/D-WcA5DQlWy6/relationships I created a abstract object called permission_set, and assign this abstract object to Group or Role or User, only concern with this is, At time of making permission check , multiple hits would be required. Permission looks like this, Can Store_Owner has Search Access on Case?
j
yes, it works, in so much as you can define a schema that does it
but as you said, it requires multiple checks and its going to be highly negative performance wise
not to mention, by being completely dynamic, you'll have essentially no way to validate it
s
Good Point, thanks Joey, I get that !
4 Views