SpiceDB is an open source, Google Zanzibar-inspired, database system for creating and managing security-critical application permissions.

SpiceDB

sure - basically, with SpiceDB we can almost always maintain the permission request to the scope of the entity and rely on the graph to resolve it, i.e. updating `ParentEntity` only really requires knowing about `ParentEntity`. But lets say in order to create a `ChildEntity`, which is a child of `ParentEntity`, it requires `write` permission on the specific `ParentEntity`. This puts a requirement that creating a specific `ChildEntity` would have to know that it needs to check permission on the parent `ParentEntity` first.

Its not a difficult thing to do, but the simplicity of having dynamic permission checks only have to care about the entity its modifying is really convenient. I didn't know if there was some creative way to keep the logic encapsulated for creation as well