spicedb
spicedb copied to clipboard
authzed
Proposal: Get all permissions associated to a resource relation (reflection)
Problem
At the moment there isn't an API to retrieve all permissions that are given with a relation on a resource. Eg: given a schema like:
definition resource {
relation manager: user
relation owner: user
permission own = owner
permission manage = manager + own
}
it would be very useful if there was an API that given resource_type=resource, relation=owner returns a list of permissions [own, manage], while if relation=manager the result would be [manage]
Proposal
Introduce a new API does what explained in "Problem"
One suggestion I would like to add if possible, make "relation" parameter optional, if not passed, return all the possible permissions.
Same API pass, resource_type=resource Returns -> [own, manage]
Is this something that the AuthZed team plans to work on? At my company we're evaluating alternatives to Oso, and SpiceDB/AuthZed seem to fit the majority of the use cases and is much more flexible.
But we do have a need to show to users what permissions they have on specific resources. As I understand from this issue, this doesn't exist yet?
@DonDebonair 👋🏻 it would seem like your requirement is slightly different tho?
- this issue suggests that "for a given resource and relation, what permissions does it have?"
- your ask reads like "for a given subject, what permissions does it have over a given resource?"
is that correct?
@vroldanbet you are absolutely right! I misread/misunderstood the original issue. I mixed up relation and subject.
So I'm indeed asking "for a given subject, what permissions does it have over a given resource"
Should I open a separate issue for that, or is this already possible and did I not look properly for it?
@DonDebonair yup, feel free to open a new issue! I suspect it would be built on top of the foundations for https://github.com/authzed/spicedb/issues/621