https://authzed.com logo
Title
j

Joey

02/17/2023, 5:07 PM
but the subject will still have access (or not); if the subject is itself constrained by a tenant, then the recommendation is to use a per-tenant subject
b

bala

02/17/2023, 5:13 PM
The subject is not constrained to a tenant and we will need to pull out all resources and corresponding permissions a subject have in tenant context.
j

Joey

02/17/2023, 5:14 PM
so the question is this: is the subject you're checking within the context of a tenant only? if so, then the subject is not just the user: its the user, under a tenant
b

bala

02/17/2023, 5:20 PM
yes but the same user can be part of different tenant as well with access to different set of resources. Is there any standard way to model this with spiceDB ? Use case will be like to have view access to a resource the user should be viewer and member of a tenant. So we might need to add this member of tenant condition to all the relation/permission, I wanted to know is there any other easy way to solve this ?
j

Joey

02/17/2023, 5:21 PM
so that gets back to my original question
if you are checking for the user, then it'll return true regardless of tenant
if that's your intended outcome, great
if not, you should check for a tenanted user
because you are saying "I only want this permission to succeed for this user, within a tenant"
so that usually means defining a new object type called
tenanted_user
, linking it to a user
and then using
tenanted_user
in the parent grants
that allows you to check for
tenanted_user
OR
user
, depending on your use case
so something like
definition user {}
definition tenanted_user {
  relation user: user
}

definition document {
  relation viewer: tenanted_user#user
  permission view = viewer
}
so if you do
check document:somedoc view tenanted_user:sometenant_bala#user
it'll only apply for
sometenant
or you can check for
check document:somedoc view user:bala
and it'll work for
bala
for any tenant
(again, if that's desirable)
b

bala

02/17/2023, 5:26 PM
Got it, then in that case the ID for tenanted_user I have create (tenantId + userId)
thanks !
j

Joey

02/17/2023, 5:26 PM
yeah
btw, if you don't need to check the user overall at all
you can simplify a bit
and just do
definition tenanted_user {
}

definition document {
  relation viewer: tenanted_user
  permission view = viewer
}
then every user is tenanted, always
b

bala

02/17/2023, 5:28 PM
cool, I am pretty new to zanzibar
thanks for your patience!
j

Joey

02/17/2023, 6:02 PM
of course