# SpiceDB Schema

## Object Type

> An Object Type definition is used to represent a new type of object.

This is like a class definition in a OOP language.

```spicedb
definition user {}

definition document {}

```

## Caveat

This a condition that can be applied to a relationship. The relationship is only
considered present if the caveat evaluates to true at query time

## Relation

Defines how two objects (or an object and subject) can relate to one another.

A user can read a document if they are a reader of the document.
A document can be read by readers.

```spicedb
defintion user {}

definition document {
  relation reader: user
}
```

### Subject Relation

Relations can also "contain" references to other relations/permissions.

A user can be a member of a group A.
The members of group B can be members of a group A.

```spicedb
definition user {}

definition group {
  relation member: user | group#member
}
```

### Wildcards

A relation can specify a wildcard to indicate that a grant can be made to the
resource type as a whole.

All users can view the resource.
The resource is viewable by all users.

```spicedb
definition user {}

definition resource {
  relation viewer: user | user:*
}
```

### Naming

Relations should be named as nouns.

* `{relation name} (of the object)`

* `reader` of the document
* `writer` of the document
* `member` of the group
* `parent` of the group

## Permissions

A permission defines a computed set of subjects that have a permission of some
kind on the parent object.

A user can be a reader or writer of a document.
When a user is a writer of a document they have the view and edit permission on
the document. When a user is a reader of a document they have the view
permission on the document.

```spicedb
definition user {}

definition document {
  relation writer: user
  relation reader: user

  permission edit = writer
  permission view = reader + writer
}
```

### Operators

- `+`: Union operator to join different relations or permissions
- `&`: Intersection operator to find relations or permissions with both sets.
- `-`: Exclusion operator to exclude relations/permissions on the right.
- `->`: Array operator for walking a hierarchy of relations defined for an object of a subject.

### Naming

Permissions should be named as verbs or nouns.

* `is/can {permission name} (the object)`
* can `read` the object
* can `write` the object
* can `delete` the object
* is `member` of the object

## Resources

* https://authzed.com/docs/spicedb/concepts/schema