Uploading to the lookaside requires PermissionManage which is only available to admins

[josephtate]

Is this feature request related to a problem? If so, please describe it.

Our developers cannot upload to the lookaside without being global:peridot admins.

Describe the solution you'd like to see

I'm not sure, but there should be a distinction between admins and lookaside uploaders.

Have you considered alternative solutions/features? If so, please describe them.

I've added all our devs (usergroup:devs#members) to the admin relationship on global:peridot, but this gives too many permissions.

Version and Build Information

N/A

Additional Context

func (s *Server) LookasideFileUpload(ctx context.Context, req *peridotpb.LookasideFileUploadRequest) (*peridotpb.LookasideFileUploadResponse, error) {
	if err := req.Validate(); err != nil {
		return nil, err
	}
	if err := s.checkPermission(ctx, ObjectGlobal, ObjectIdPeridot, PermissionManage); err != nil {
		return nil, err
	}

definition global {
        relation admin: user | usergroup#member | usergroup#manager
        relation member: user | usergroup#member | usergroup#manager
        permission manage = admin
        permission customer_god_mode = admin
        permission employee = admin + member
}

I guess I'd like the employee permission to be able to upload.

[mstg]

I'm not against making this change but do want to remind you that the current global schema only has admin for OSS version. We can add a lookaside permission to global in the OSS version, then you would have to add to the CIQ deployment. Shouldn't be too big of a deal, but I need to find some time to deploy a SpiceDB schema change first

[mstg]

Current schema for reference: https://github.com/rocky-linux/peridot/blob/main/spicedb/deploy/schema.zed