Home

Awesome

<img src="https://jalexsocial.github.io/spicedb.docs/images/spicedb-logo.png">

SpiceDb is an open-source, Zanzibar-inspired authorization system that provides a robust and scalable solution for managing fine-grained permissions across distributed systems. Its implementation closely follows the principles set out in Google�s Zanzibar paper, adapting them into a practical and deployable system.

SpiceDb was created by AuthZed and documentation specifically for SpiceDb can be found on their site.

SpiceDb.net Documentation

SpiceDb.net was created by Michael Tanczos and has contributions from Pavel Akimov, Mahesh Bailwal, Vin�cius Gajo, and others. Documentation for SpiceDb.net is in progress and can be found here: https://jalexsocial.github.io/spicedb.docs/

What's New?

1.6.0

1.5.3

1.5.2

1.5.1

Usage

Install

Available on Nuget at https://www.nuget.org/packages/SpiceDb

Install the package using NuGet
Install-Package SpiceDb

Example Using UserSecrets


using Microsoft.Extensions.Configuration;
using SpiceDb.Example;
using SpiceDb.Example.MyObjects;
using SpiceDb.Models;

// This is just to keep the server address and token private
var builder = new ConfigurationBuilder()
    .AddUserSecrets(typeof(Secrets).Assembly)
    .AddEnvironmentVariables();
var configurationRoot = builder.Build();

var secrets = configurationRoot.GetSection("AuthZed").Get<Secrets>();

if (secrets is null)
    throw new ArgumentException("Invalid secrets configuration");

// var serverAddress = "https://grpc.authzed.com";
// Create a new client with a prefix of "arch" for all defined objects
var client = new SpiceDbClient(secrets.ServerAddress, secrets.Token, "arch");

// Add relationship where user:bob is a reader of document:firstdoc
// Note that because the schema prefix is set in the client it is not necessary to always prefix every resource definition 
client.AddRelationship("arch/document:firstdoc#reader@arch/user:bob");

// This also works
client.AddRelationship("document:firstdoc#reader@user:kevin");

// Second approach to adding relationships
client.AddRelationship(new Relationship("arch/document:firstdoc", "reader", "arch/user:jacob"));

// This approach uses a little syntactic sugar to define each of the relations
client.AddRelationship(ZedUser.WithId("carmella").CanRead(ZedDocument.WithId("firstdoc")));

// Check to see if user:bob is in fact now a reader of document:firstdoc
var bobCanRead = client.CheckPermission(new Permission("arch/document:firstdoc#reader@arch/user:bob"));

Console.WriteLine($"Can user bob read document:firstdoc? {bobCanRead.HasPermission}");
// true

// This is a similar check but without adding prefixes
var kevinCanRead = client.CheckPermission(new Permission("document:firstdoc#reader@user:bob"));

Console.WriteLine($"Can user kevin read document:firstdoc? {kevinCanRead.HasPermission}");
// true


// Check to see if user:carmella is in fact now a reader of document:firstdoc
var carmellaCanRead = client.CheckPermission(ZedUser.WithId("carmella").CanRead(ZedDocument.WithId("firstdoc")));

Console.WriteLine($"Can user carmella read document:firstdoc? {carmellaCanRead.HasPermission}");
// true


API Coverage

authzed.api.v1 methodImplemented
ReadRelationshipsYes
WriteRelationshipsYes
DeleteRelationshipsYes
CheckPermissionYes
ExpandPermissionTreeYes
LookupResourcesYes
LookupSubjectsYes
ReadSchemaYes
WriteSchemaYes, as Import* methods
WatchYes

API Methods

SpiceDbClient Class

The SpiceDbClient class provides a client for interacting with Authzed's SpiceDb, offering methods to manipulate permission systems efficiently.

Constructors

SpiceDbClient(string token, string? schemaPrefix = null)

Initializes a new instance of the SpiceDbClient class using the default Authzed server address.

Parameters

SpiceDbClient(string serverAddress, string token, string? schemaPrefix = null)

Initializes a new instance of the SpiceDbClient class with the specified server address, token, and schema prefix.

Parameters

Exceptions

Methods

ReadRelationshipsAsync

Asynchronously reads a set of relationships matching one or more filters.

Parameters

Returns

WriteRelationshipsAsync

Atomically writes and/or deletes a set of specified relationships, with optional preconditions.

Parameters

Returns

DeleteRelationshipsAsync

Atomically bulk deletes all relationships matching the provided filters, with optional preconditions.

Parameters

Returns

CheckPermissionAsync

Checks permissions for a given resource and subject, optionally considering additional context.

Parameters

Returns

ExpandPermissionAsync

Expands the permission tree for a resource's permission or relation, revealing the graph structure. This method may require multiple calls to fully unnest a deeply nested graph.

Parameters

Returns

AddRelationshipsAsync

Adds or updates multiple relationships as a single atomic update.

Parameters

Returns

AddRelationshipAsync

Adds or updates a single relationship.

Parameters

Returns

DeleteRelationshipAsync

Removes an existing relationship (if it exists).

Parameters

Returns

LookupSubjects

Returns all the subjects of a given type that have access, whether via a computed permission or relation membership.

Parameters

Returns

LookupResources

Returns all the resources of a given type that a subject can access, whether via a computed permission or relation membership.

Parameters

Returns

Watch

Listens for changes to specified subjects and returns updates as they occur.

Parameters

Returns

GetResourcePermissionsAsync

Retrieves the list of permissions for a specified resource, permission, and subject.

Parameters

Returns

ReadSchema

Reads the current schema in use by the SpiceDB.

Returns

ImportSchemaFromFileAsync

Imports a schema into SpiceDB from a specified file.

Parameters

Returns

ImportSchemaFromStringAsync

Imports a schema into SpiceDB from a provided string.

Parameters

Returns

ImportRelationshipsFromFileAsync

Imports relationships into SpiceDB from a specified file.

Parameters

Returns

ImportRelationshipsAsync

Imports relationships into SpiceDB from a provided string.

Parameters

Returns

CheckBulkPermissionAsync (IEnumerable<string> permissions)

Checks multiple permissions in bulk for a specified list of permission identifiers.

Parameters

Returns

CheckBulkPermissionAsync (IEnumerable<Permission> permissions)

Checks multiple permissions in bulk for a specified list of Permission objects.

Parameters

Returns

CheckBulkPermissionAsync (IEnumerable<CheckBulkPermissionsRequestItem> items)

Checks multiple permissions in bulk for a specified list of CheckBulkPermissionsRequestItem objects.

Parameters

Returns