but the subject will still have access or not if the subject SpiceDB #spicedb

but the subject will still have access (or not); i...

Joey

02/17/2023, 5:07 PM

but the subject will still have access (or not); if the subject is itself constrained by a tenant, then the recommendation is to use a per-tenant subject

bala

02/17/2023, 5:13 PM

The subject is not constrained to a tenant and we will need to pull out all resources and corresponding permissions a subject have in tenant context.

Joey

02/17/2023, 5:14 PM

so the question is this: is the subject you're checking within the context of a tenant only? if so, then the subject is not just the user: its the user, under a tenant

bala

02/17/2023, 5:20 PM

yes but the same user can be part of different tenant as well with access to different set of resources. Is there any standard way to model this with spiceDB ? Use case will be like to have view access to a resource the user should be viewer and member of a tenant. So we might need to add this member of tenant condition to all the relation/permission, I wanted to know is there any other easy way to solve this ?

Joey

02/17/2023, 5:21 PM

so that gets back to my original question

Joey

02/17/2023, 5:21 PM

if you are checking for the user, then it'll return true regardless of tenant

Joey

02/17/2023, 5:22 PM

if that's your intended outcome, great

Joey

02/17/2023, 5:22 PM

if not, you should check for a tenanted user

Joey

02/17/2023, 5:22 PM

because you are saying "I only want this permission to succeed for this user, within a tenant"

Joey

02/17/2023, 5:22 PM

so that usually means defining a new object type called

tenanted_user

, linking it to a user

Joey

02/17/2023, 5:23 PM

and then using

tenanted_user

in the parent grants

Joey

02/17/2023, 5:23 PM

that allows you to check for

tenanted_user

user

, depending on your use case

Joey

02/17/2023, 5:23 PM

so something like

Joey

02/17/2023, 5:24 PM

Copy code

definition user {}
definition tenanted_user {
  relation user: user
}

definition document {
  relation viewer: tenanted_user#user
  permission view = viewer
}

Joey

02/17/2023, 5:24 PM

so if you do

check document:somedoc view tenanted_user:sometenant_bala#user

Joey

02/17/2023, 5:25 PM

it'll only apply for

sometenant

Joey

02/17/2023, 5:25 PM

or you can check for

check document:somedoc view user:bala

Joey

02/17/2023, 5:25 PM

and it'll work for

bala

for any tenant

Joey

02/17/2023, 5:25 PM

(again, if that's desirable)

bala

02/17/2023, 5:26 PM

Got it, then in that case the ID for tenanted_user I have create (tenantId + userId)

bala

02/17/2023, 5:26 PM

thanks !

Joey

02/17/2023, 5:26 PM

yeah

Joey

02/17/2023, 5:26 PM

btw, if you don't need to check the user overall at all

Joey

02/17/2023, 5:26 PM

you can simplify a bit

Joey

02/17/2023, 5:26 PM

and just do

Joey

02/17/2023, 5:26 PM

Copy code

definition tenanted_user {
}

definition document {
  relation viewer: tenanted_user
  permission view = viewer
}

Joey

02/17/2023, 5:26 PM

then every user is tenanted, always

bala

02/17/2023, 5:28 PM

cool, I am pretty new to zanzibar

bala

02/17/2023, 5:28 PM

thanks for your patience!

Joey

02/17/2023, 6:02 PM

of course

Previous Next