hi, Just read https://authzed.com/blog/acl-filtering-in-authzed/, because this is currently our biggest performance concern when it comes to scale. I feel the article ended slightly premature. It tells people how to get a list of object-ids that satisfy the query, but now you need to basically do a paginated query against your 'other' database such as

SELECT * FROM TABLE docs WHERE doc-id IN (id1, id2, ..., idn)

to list documents the given user can e.g. view with some metadata. And if the user can view 1000 docs, I doubt one can put those 1000 doc-ids into the query. I wonder what people practically do here.

You are correct this is problematic when JOINing results from SpiceDB and the client application tables. We don't have a good answer for that right now, and the possible solutions are being explored in https://github.com/authzed/spicedb/issues/207

Thanks. I've found that issue too. I understand how that cache helps with the overall use case, but my main concern is the join. I am wondering if people e..g add a dedicated server-side query api to address this.

I don't think I can point you to a specific example on how folks do this. What we are exploring is: - Bloom Filter that could be used in the database side - have client application consume the permission stream into their database so they can JOIN with the tables to filter

Some folks are consuming the Watch API and then calling th Lookup APIs and saving the results into their datastore in a format where they can then perform JOINs. That's another option, if eventual consistency is okay for your application. It's also known to scale to quite a large amount of traffic on the Postgres datastore specifically.

Thanks for the answers!