I was just skimming over real quick but don’t have to either to read the whole thing. One thing that stood out, is a group can hold another group. So I guess if you had a role like tech support, web development, financial, etc you could make a CEO role that includes the permissions within those other roles? If I am reading that right, never thought about that though. Kinda neat as role reusability.

Yep! Groups can be easily nested under one another by simply creating a relationship between the group's members and the members of another group.

In SpiceDB [0] schema this can be represented like so:

  definition group {
    relation member: user | group#member
  }

Here `member` allows a relationship to itself, which allows writing a relationship saying that every member of one group is a member of the containing group.

I threw together an example in our playground [1], if you'd like to try it out!

[0]: https://github.com/authzed/spicedb [1]: https://play.authzed.com/s/9D5h9I7mE9mK/schema