Hey there, could someone help me with a modelling/...
# spicedb
Hey there, could someone help me with a modelling/query question? I have created a model, relationships and checks in the playground: https://play.authzed.com/s/aHaDwQZnO42n/schema . I have a time_events object for which I can get all users which are allowed to e.g. edit, view,.. But how can I model a permission where I can get all time_events for which my user has e.g. view or edit rights? E.g. my user can be a manager and I want to get all time events for my direct reports for which I am allowed to edit. I do not find a suitable way, maybe I am only stuck and you can help me to come to the right solution? 🙂
👋🏻 it sounds like you want to intersect the permissions of 2 different users, which is not something the system really supports today. What you can do is do 2
calls and intersect them in memory:
LookupResources(user: themanager, permission:edit, resource_type: time_events
intersected with
LookupResources(user: thereport, permission:edit, resource_type: time_events
Hi @vroldanbet , thanks for looking at my example and pointing me to the lookup api. If I want to get all documents a user is allowed to edit, wouldn`t it be suficient to use only one lookup call? If I use LookupResources(user: alice, permission:edit, resource_type: time_events) wouldnt it return all time_events alice is allowed to edit? In my case alice has a relation to manager and managers are allowed to edit the time events for bob. Hence I should get the time_events object of bob returned? If I want to do the same for another user, e.g. bob (who owns the time event of bob), I would not get any return object, because bob is not allowed to edit it?
oh yeah, I kinda understood your quest as you needed to merge the enumeration of resources from 2 users, but yeah, if all you need is getting the resources for alice, that'd work with one API call
yes, you'd get the resources for bob when checking for alice
and correct, if bob does not have any edit permissions on any time events, you'd get no results
Do you know if Lookup api is the only way or if there is also a possiblity to model this in a nice way, as a permission? e.g. in the user object add a permission to get all time_events my user is able to edit?
there is no other option. Permissions describe how the response is computed. It's then the API method that allows you to do different things with the permission, so having different API methods to compute over the permission the right way to go IMO