Hello all. First of all, fantastic project. I'm currently evaluating spiceDB and had a few questions on capabilities and the type of questions spiceDB can (should?) answer.
I was looking at the google cloud IAM blog post and the corresponding playground link:
https://play.authzed.com/s/pNIDdxdKKOMG/schema
Using the above schema is it possible to get answers to the following queries? Also, do these queries even make sense in SpiceDB or should it be a different system?
1. Who has access to a project?
It seems, I can add a permission that aggregates all other permissions, but not sure if that's the correct approach, how well does this scale?
> permission has_access = granted_spanner_databaseroles_use + granted_spanner_databases_drop + ...
> zed permission lookup-subjects project:proj1 has_access user
2. What projects does user have acess to? (1 solves this, not sure if the approach is correct)
3. What roles does a user have access to in proj1?
4. Does user have roleA access in proj1? (is there a more efficient solution than the answer to 3)
5. What roles does a user have access to (all projects)?
6. What projects does a user have roleA access to?
Perhaps it's a different schema all together that's needed for this, just trying to wrap my head around the system and whether it's the right one to make these types of queries