- Home
- Learn
- SpiceDB Schema Examples
- Google Cloud IAM (Spanner)
Google Cloud IAM (Spanner)
Re-creates Google Cloud's IAM permissions for Spanner. A large, role-grant-driven schema with cascading project / instance / database scopes.
Real-worldView on GitHub
Google Cloud IAM (Spanner)
Re-creates Google Cloud's IAM permissions for Spanner. A large, role-grant-driven schema with cascading project / instance / database scopes.
definition user {}
definition role {
relation bound_user: user
relation spanner_databaseoperations_cancel: role
relation spanner_databaseoperations_delete: role
relation spanner_databaseoperations_get: role
relation spanner_databaseoperations_list: role
relation spanner_databaseroles_list: role
relation spanner_databaseroles_use: role
relation spanner_databases_beginorrollbackreadwritetransaction: role
relation spanner_databases_beginpartitioneddmltransaction: role
relation spanner_databases_beginreadonlytransaction: role
relation spanner_databases_create: role
relation spanner_databases_drop: role
relation spanner_databases_get: role
relation spanner_databases_getddl: role
relation spanner_databases_getiampolicy: role
relation spanner_databases_list: role
relation spanner_databases_partitionquery: role
relation spanner_databases_partitionread: role
relation spanner_databases_read: role
relation spanner_databases_select: role
relation spanner_databases_setiampolicy: role
relation spanner_databases_update: role
relation spanner_databases_updateddl: role
relation spanner_databases_userolebasedaccess: role
relation spanner_databases_write: role
relation spanner_instances_get: role
relation spanner_instances_getiampolicy: role
relation spanner_instances_list: role
relation spanner_sessions_create: role
relation spanner_sessions_delete: role
relation spanner_sessions_get: role
relation spanner_sessions_list: role
permission can_spanner_databaseoperations_cancel = spanner_databaseoperations_cancel->bound_user
permission can_spanner_databaseoperations_delete = spanner_databaseoperations_delete->bound_user
permission can_spanner_databaseoperations_get = spanner_databaseoperations_get->bound_user
permission can_spanner_databaseoperations_list = spanner_databaseoperations_list->bound_user
permission can_spanner_databaseroles_list = spanner_databaseroles_list->bound_user
permission can_spanner_databaseroles_use = spanner_databaseroles_use->bound_user
permission can_spanner_databases_beginorrollbackreadwritetransaction = spanner_databases_beginorrollbackreadwritetransaction->bound_user
permission can_spanner_databases_beginpartitioneddmltransaction = spanner_databases_beginpartitioneddmltransaction->bound_user
permission can_spanner_databases_beginreadonlytransaction = spanner_databases_beginreadonlytransaction->bound_user
permission can_spanner_databases_create = spanner_databases_create->bound_user
permission can_spanner_databases_drop = spanner_databases_drop->bound_user
permission can_spanner_databases_get = spanner_databases_get->bound_user
permission can_spanner_databases_getddl = spanner_databases_getddl->bound_user
permission can_spanner_databases_getiampolicy = spanner_databases_getiampolicy->bound_user
permission can_spanner_databases_list = spanner_databases_list->bound_user
permission can_spanner_databases_partitionquery = spanner_databases_partitionquery->bound_user
permission can_spanner_databases_partitionread = spanner_databases_partitionread->bound_user
permission can_spanner_databases_read = spanner_databases_read->bound_user
permission can_spanner_databases_select = spanner_databases_select->bound_user
permission can_spanner_databases_setiampolicy = spanner_databases_setiampolicy->bound_user
permission can_spanner_databases_update = spanner_databases_update->bound_user
permission can_spanner_databases_updateddl = spanner_databases_updateddl->bound_user
permission can_spanner_databases_userolebasedaccess = spanner_databases_userolebasedaccess->bound_user
permission can_spanner_databases_write = spanner_databases_write->bound_user
permission can_spanner_instances_get = spanner_instances_get->bound_user
permission can_spanner_instances_getiampolicy = spanner_instances_getiampolicy->bound_user
permission can_spanner_instances_list = spanner_instances_list->bound_user
permission can_spanner_sessions_create = spanner_sessions_create->bound_user
permission can_spanner_sessions_delete = spanner_sessions_delete->bound_user
permission can_spanner_sessions_get = spanner_sessions_get->bound_user
permission can_spanner_sessions_list = spanner_sessions_list->bound_user
}
definition project {
relation granted: role
// Synthetic Instance Relations
permission granted_spanner_instances_get = granted->can_spanner_instances_get
permission granted_spanner_instances_getiampolicy = granted->can_spanner_instances_getiampolicy
permission granted_spanner_instances_list = granted->can_spanner_instances_list
// Synthetic Database Relations
permission granted_spanner_databases_beginorrollbackreadwritetransaction = granted->can_spanner_databases_beginorrollbackreadwritetransaction
permission granted_spanner_databases_beginpartitioneddmltransaction = granted->can_spanner_databases_beginpartitioneddmltransaction
permission granted_spanner_databases_beginreadonlytransaction = granted->can_spanner_databases_beginreadonlytransaction
permission granted_spanner_databases_create = granted->can_spanner_databases_create
permission granted_spanner_databases_drop = granted->can_spanner_databases_drop
permission granted_spanner_databases_get = granted->can_spanner_databases_get
permission granted_spanner_databases_getddl = granted->can_spanner_databases_getddl
permission granted_spanner_databases_getiampolicy = granted->can_spanner_databases_getiampolicy
permission granted_spanner_databases_list = granted->can_spanner_databases_list
permission granted_spanner_databases_partitionquery = granted->can_spanner_databases_partitionquery
permission granted_spanner_databases_partitionread = granted->can_spanner_databases_partitionread
permission granted_spanner_databases_read = granted->can_spanner_databases_read
permission granted_spanner_databases_select = granted->can_spanner_databases_select
permission granted_spanner_databases_setiampolicy = granted->can_spanner_databases_setiampolicy
permission granted_spanner_databases_update = granted->can_spanner_databases_update
permission granted_spanner_databases_updateddl = granted->can_spanner_databases_updateddl
permission granted_spanner_databases_userolebasedaccess = granted->can_spanner_databases_userolebasedaccess
permission granted_spanner_databases_write = granted->can_spanner_databases_write
// Synthetic Sessions Relations
permission granted_spanner_sessions_create = granted->can_spanner_sessions_create
permission granted_spanner_sessions_delete = granted->can_spanner_sessions_delete
permission granted_spanner_sessions_get = granted->can_spanner_sessions_get
permission granted_spanner_sessions_list = granted->can_spanner_sessions_list
// Synthetic Database Operations Relations
permission granted_spanner_databaseoperations_cancel = granted->can_spanner_databaseoperations_cancel
permission granted_spanner_databaseoperations_delete = granted->can_spanner_databaseoperations_delete
permission granted_spanner_databaseoperations_get = granted->can_spanner_databaseoperations_get
permission granted_spanner_databaseoperations_list = granted->can_spanner_databaseoperations_list
// Synthetic Database Roles Relations
permission granted_spanner_databaseroles_list = granted->can_spanner_databaseroles_list
permission granted_spanner_databaseroles_use = granted->can_spanner_databaseroles_use
}
definition spanner_instance {
relation project: project
relation granted: role
permission get = granted->can_spanner_instances_get + project->granted_spanner_instances_get
permission getiampolicy = granted->can_spanner_instances_getiampolicy + project->granted_spanner_instances_getiampolicy
permission list = granted->can_spanner_instances_list + project->granted_spanner_instances_list
// Synthetic Database Relations
permission granted_spanner_databases_beginorrollbackreadwritetransaction = granted->can_spanner_databases_beginorrollbackreadwritetransaction + project->granted_spanner_databases_beginorrollbackreadwritetransaction
permission granted_spanner_databases_beginpartitioneddmltransaction = granted->can_spanner_databases_beginpartitioneddmltransaction + project->granted_spanner_databases_beginpartitioneddmltransaction
permission granted_spanner_databases_beginreadonlytransaction = granted->can_spanner_databases_beginreadonlytransaction + project->granted_spanner_databases_beginreadonlytransaction
permission granted_spanner_databases_create = granted->can_spanner_databases_create + project->granted_spanner_databases_create
permission granted_spanner_databases_drop = granted->can_spanner_databases_drop + project->granted_spanner_databases_drop
permission granted_spanner_databases_get = granted->can_spanner_databases_get + project->granted_spanner_databases_get
permission granted_spanner_databases_getddl = granted->can_spanner_databases_getddl + project->granted_spanner_databases_getddl
permission granted_spanner_databases_getiampolicy = granted->can_spanner_databases_getiampolicy + project->granted_spanner_databases_getiampolicy
permission granted_spanner_databases_list = granted->can_spanner_databases_list + project->granted_spanner_databases_list
permission granted_spanner_databases_partitionquery = granted->can_spanner_databases_partitionquery + project->granted_spanner_databases_partitionquery
permission granted_spanner_databases_partitionread = granted->can_spanner_databases_partitionread + project->granted_spanner_databases_partitionread
permission granted_spanner_databases_read = granted->can_spanner_databases_read + project->granted_spanner_databases_read
permission granted_spanner_databases_select = granted->can_spanner_databases_select + project->granted_spanner_databases_select
permission granted_spanner_databases_setiampolicy = granted->can_spanner_databases_setiampolicy + project->granted_spanner_databases_setiampolicy
permission granted_spanner_databases_update = granted->can_spanner_databases_update + project->granted_spanner_databases_update
permission granted_spanner_databases_updateddl = granted->can_spanner_databases_updateddl + project->granted_spanner_databases_updateddl
permission granted_spanner_databases_userolebasedaccess = granted->can_spanner_databases_userolebasedaccess + project->granted_spanner_databases_userolebasedaccess
permission granted_spanner_databases_write = granted->can_spanner_databases_write + project->granted_spanner_databases_write
// Synthetic Sessions Relations
permission granted_spanner_sessions_create = granted->can_spanner_sessions_create + project->granted_spanner_sessions_create
permission granted_spanner_sessions_delete = granted->can_spanner_sessions_delete + project->granted_spanner_sessions_delete
permission granted_spanner_sessions_get = granted->can_spanner_sessions_get + project->granted_spanner_sessions_get
permission granted_spanner_sessions_list = granted->can_spanner_sessions_list + project->granted_spanner_sessions_list
// Synthetic Database Operations Relations
permission granted_spanner_databaseoperations_cancel = granted->can_spanner_databaseoperations_cancel + project->granted_spanner_databaseoperations_cancel
permission granted_spanner_databaseoperations_delete = granted->can_spanner_databaseoperations_delete + project->granted_spanner_databaseoperations_delete
permission granted_spanner_databaseoperations_get = granted->can_spanner_databaseoperations_get + project->granted_spanner_databaseoperations_get
permission granted_spanner_databaseoperations_list = granted->can_spanner_databaseoperations_list + project->granted_spanner_databaseoperations_list
// Synthetic Database Roles Relations
permission granted_spanner_databaseroles_list = granted->can_spanner_databaseroles_list + project->granted_spanner_databaseroles_list
permission granted_spanner_databaseroles_use = granted->can_spanner_databaseroles_use + project->granted_spanner_databaseroles_use
}
definition spanner_database {
relation instance: spanner_instance
relation granted: role
// Database
permission beginorrollbackreadwritetransaction = granted->can_spanner_databases_beginorrollbackreadwritetransaction + instance->granted_spanner_databases_beginorrollbackreadwritetransaction
permission beginpartitioneddmltransaction = granted->can_spanner_databases_beginpartitioneddmltransaction + instance->granted_spanner_databases_beginpartitioneddmltransaction
permission beginreadonlytransaction = granted->can_spanner_databases_beginreadonlytransaction + instance->granted_spanner_databases_beginreadonlytransaction
permission create = granted->can_spanner_databases_create + instance->granted_spanner_databases_create
permission drop = granted->can_spanner_databases_drop + instance->granted_spanner_databases_drop
permission get = granted->can_spanner_databases_get + instance->granted_spanner_databases_get
permission get_ddl = granted->can_spanner_databases_getddl + instance->granted_spanner_databases_getddl
permission getiampolicy = granted->can_spanner_databases_getiampolicy + instance->granted_spanner_databases_getiampolicy
permission list = granted->can_spanner_databases_list + instance->granted_spanner_databases_list
permission partitionquery = granted->can_spanner_databases_partitionquery + instance->granted_spanner_databases_partitionquery
permission partitionread = granted->can_spanner_databases_partitionread + instance->granted_spanner_databases_partitionread
permission read = granted->can_spanner_databases_read + instance->granted_spanner_databases_read
permission select = granted->can_spanner_databases_select + instance->granted_spanner_databases_select
permission setiampolicy = granted->can_spanner_databases_setiampolicy + instance->granted_spanner_databases_setiampolicy
permission update = granted->can_spanner_databases_update + instance->granted_spanner_databases_update
permission updateddl = granted->can_spanner_databases_updateddl + instance->granted_spanner_databases_updateddl
permission userolebasedaccess = granted->can_spanner_databases_userolebasedaccess + instance->granted_spanner_databases_userolebasedaccess
permission write = granted->can_spanner_databases_write + instance->granted_spanner_databases_write
// Sessions
permission create_session = granted->can_spanner_sessions_create + instance->granted_spanner_sessions_create
permission delete_session = granted->can_spanner_sessions_delete + instance->granted_spanner_sessions_delete
permission get_session = granted->can_spanner_sessions_get + instance->granted_spanner_sessions_get
permission list_sessions = granted->can_spanner_sessions_list + instance->granted_spanner_sessions_list
// Database Operations
permission cancel_operation = granted->can_spanner_databaseoperations_cancel + instance->granted_spanner_databaseoperations_cancel
permission delete_operation = granted->can_spanner_databaseoperations_delete + instance->granted_spanner_databaseoperations_delete
permission get_operation = granted->can_spanner_databaseoperations_get + instance->granted_spanner_databaseoperations_get
permission list_operations = granted->can_spanner_databaseoperations_list + instance->granted_spanner_databaseoperations_list
// Database Roles
permission list_roles = granted->can_spanner_databaseroles_list + instance->granted_spanner_databaseroles_list
permission use_role = granted->can_spanner_databaseroles_use + instance->granted_spanner_databaseroles_use
}Schemas come from the authzed/examples repository (Apache 2.0). Comments shown alongside the code are the authors' original docstrings.