Thinking about what's the idiomatic way to do a

delete

of a subject, say,

user:user1

with the least possible api requests. Say, an employee quits and I want to delete all of their access data stored in SpiceDB. When I understand the

DeleteRelationshipRequest

structure right, it's not possible to tell it "delete every relationship you can find that has user:user1 inside", so only make one call. Is that right, or am I missing something? Having to define a

resource_type

in the request limits it a bit for that case, though i could imagine a potential impact on performance if not set.

you're correct in that it you need to set the resource_type

resource_type:*/any is not an option i guess? 😉

one way to do it atomically would be to create a single relation within the user, say

active

that points to itself, and that have all of your permissions computations require active users

that'd be a good idea, sure, but would still lead to a lot of stale relations until cleanup happens in whatever manner.

yeah it's possible, depending on the permissions model

i am thinking of a large schema where there could also be some prefixed subschemas, say services on a cloud platform. I see that iterating through all the relations will be costly, e.g. assuming

resource_type:*

or a similar approach would be possible, but then again the way it would work now, if I understand it right, would be: 1) Know all the Objects and possible relationships of the subject beforehand 2) call LookupResources for that specific User on all of them 3) make a bunch of DeleteRelationshipRequests Also sounds costly to me, and also complicated, so thought there might be a nicer way to achieve this 🙂

@dguhr-rh yeah the workflow is annoying, for sure. Would you mind opening an issue to keep track of this and describe your use-case and what the desirable behaviour should be?

Sure!