was playing with the

-

operator, and came up with this example

relation parent: parent

    relation writer: user
    relation viewer: user
    relation exclude_writer: user

    permission write = parent->write + writer - exclude_writer
    permission view_reference_write = write + viewer
    permission view_inline_write = parent->write + writer - exclude_writer + viewer
    permission view_inline_write_parens = (parent->write + writer - exclude_writer) + viewer

There's two interesting things about this example 1) exclusions are not carried through to permissions that reference other permissions containing exclusions; in other words,

view_reference_write

doesn't "respect" the exclusions specified in

write

. Makes sense to me, maybe worth adding to the docs? 2)

view_reference_write

and

view_inline_write

are net different. inlining the

write

into

view_inline_write

causes a different set of subjects than

view_reference_write

because the

-

operator had (to me) the unexpected effect of grouping the addends. The docs do clearly state that everything to the left of the operator is included, and everything to the right is excluded, so that's pretty unambiguous. 3) Adding parentheses helped me achieve the desired grouping (

view_inline_write_parens

). Was pleasantly surprised to see this is supported; do the https://authzed.com/docs/reference/schema-lang docs mention this anywhere? Hopefully others find this interesting/exemplifying also. here's the playground -> https://play.authzed.com/s/MxtyJyh_mg4T/schema