Question 1

How to model hierarchical permissions in SpiceDB?

Accepted Answer

Use relationships and recursive permissions in schemas, like defining parent-child resource hierarchies. The README's folder-document example shows this with 'parent->view' permissions for inheritance.

Question 2

SpiceDB vs Open Policy Agent: which is better for authorization?

Accepted Answer

SpiceDB excels at scalable, centralized relationship-based checks with a database backend, while OPA is a general policy engine for embedded, rule-based enforcement. Choose SpiceDB for high-scale microservices; OPA for lightweight, configurable policies.

Question 3

Can SpiceDB handle attribute-based access control?

Accepted Answer

Yes, through caveats that add conditions to relationships, enabling ABAC-like functionality. The README cites Netflix's use of caveats for complex identity types.

Question 4

What databases does SpiceDB support for storage?

Accepted Answer

It supports Google Cloud Spanner, CockroachDB, MySQL, and PostgreSQL, as mentioned in the deployment section, allowing flexibility based on infrastructure needs.

Question 5

How to deploy SpiceDB on Kubernetes?

Accepted Answer

Use community-maintained examples or the SpiceDB Operator. The README provides a kubectl command to apply a test YAML, but production requires more configuration for datastores and scaling.

Question 6

Is SpiceDB agnostic to authentication providers?

Accepted Answer

Yes, it focuses purely on authorization and requires separate integration with authentication solutions like OAuth2 or SAML, which adds setup steps for identity management.

spicedb

What is spicedb?

Overview

Use Cases

Best For

Related Projects

Found a gem we're missing?

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions