[Keverw]

I was just skimming over real quick but don’t have to either to read the whole thing. One thing that stood out, is a group can hold another group. So I guess if you had a role like tech support, web development, financial, etc you could make a CEO role that includes the permissions within those other roles? If I am reading that right, never thought about that though. Kinda neat as role reusability.

[jschorr]

Yep! Groups can be easily nested under one another by simply creating a relationship between the group's members and the members of another group.

In SpiceDB [0] schema this can be represented like so:

  definition group {
    relation member: user | group#member
  }

Here `member` allows a relationship to itself, which allows writing a relationship saying that every member of one group is a member of the containing group.

I threw together an example in our playground [1], if you'd like to try it out!

[0]: https://github.com/authzed/spicedb [1]: https://play.authzed.com/s/9D5h9I7mE9mK/schema

[oh_sigh]

Not only inclusion, but other operators as well, such as negation, so you can say

  CanAccessAmericanSecrets = AllSREs - EmployeesInEnemyState

(or whatever)

[rad_gruchalski]

No idea why you are getting downvoted. You are correct. The white paper section 2.3. Talks exactly about that. The namespace configuration pseudo-code show exactly how this is written. Took me over a year to arrive at this conclusion.

[jschorr]

Exclusion (and intersection as well) provide for some very powerful computation primitives, with only a slight overhead in performance.

In addition, there is `tupleset_to_userset` [0], which can be thought of as an arrow (which is also how its defined in SpiceDB [1]).

[0]: https://zanzibar.tech/2D0HKhvxH0:0.IoJK1g_7i:4L~ses~0~1 [1]: https://docs.authzed.com/reference/schema-lang#--arrow

[rad_gruchalski]

Yes. The white paper is very brief on details. Some systems in the wild totally miss the fact that a relation userset operation isn’t “include only”. That also applies to tupleset_to_userset.

I was in that misled camp for quite some time. One day it clicked, but only after realizing that the namespace config pseudo-code from section 2.3. IS what defines relationships: https://gruchalski.com/posts/2022-10-22-zanzibar-with-prolog.... Not the fancy object#relation@subject. That’s just the query language.