I m trying to understand how the LookUp API will help in showing the higher-level views. I agree/understand all the problems mentioned on the page https://authzed.com/blog/acl-filtering-in-authzed/, but have a query on how would we solve the actual use case. Lookup API will return a stream of objects/resources the user who has access ( or some other permission ) to but since the actual objects are stored in a separate DB/service, the permission enforcement service should collect all the stream values and filter from its database, this could be very expensive if there are a huge number of records.

that's correct, if you are looking to filter a very large list of DB records with the elements coming from of

LookupResources

, it will become eventually expensive to compute. For this we have a plan to address it more efficiently. Ideally you'd use the

LookupWatch API

which provides a stream of all the changes, and you can store them in the same database in order to efficiently

JOIN

them together. https://github.com/authzed/spicedb/issues/207