but the subject will still have access (or not); i...
# spicedb
j
but the subject will still have access (or not); if the subject is itself constrained by a tenant, then the recommendation is to use a per-tenant subject
b
The subject is not constrained to a tenant and we will need to pull out all resources and corresponding permissions a subject have in tenant context.
j
so the question is this: is the subject you're checking within the context of a tenant only? if so, then the subject is not just the user: its the user, under a tenant
b
yes but the same user can be part of different tenant as well with access to different set of resources. Is there any standard way to model this with spiceDB ? Use case will be like to have view access to a resource the user should be viewer and member of a tenant. So we might need to add this member of tenant condition to all the relation/permission, I wanted to know is there any other easy way to solve this ?
j
so that gets back to my original question
if you are checking for the user, then it'll return true regardless of tenant
if that's your intended outcome, great
if not, you should check for a tenanted user
because you are saying "I only want this permission to succeed for this user, within a tenant"
so that usually means defining a new object type called
tenanted_user
, linking it to a user
and then using
tenanted_user
in the parent grants
that allows you to check for
tenanted_user
OR
user
, depending on your use case
so something like
Copy code
definition user {}
definition tenanted_user {
  relation user: user
}

definition document {
  relation viewer: tenanted_user#user
  permission view = viewer
}
so if you do
check document:somedoc view tenanted_user:sometenant_bala#user
it'll only apply for
sometenant
or you can check for
check document:somedoc view user:bala
and it'll work for
bala
for any tenant
(again, if that's desirable)
b
Got it, then in that case the ID for tenanted_user I have create (tenantId + userId)
thanks !
j
yeah
btw, if you don't need to check the user overall at all
you can simplify a bit
and just do
Copy code
definition tenanted_user {
}

definition document {
  relation viewer: tenanted_user
  permission view = viewer
}
then every user is tenanted, always
b
cool, I am pretty new to zanzibar
thanks for your patience!
j
of course