SpiceDB supports both intersection and exclusion operators for computing permissions. These operators allow schemas to define that a subject has a permission if either the user is found on both paths (intersection) or only on one path, but not the other (exclusion). Intersection is often used when a permission is based on multiple other permissions or roles, while exclusion is used when an application wants to deny access to certain users. SpiceDB computes intersections and exclusions by walking the directed graph formed by relationships and schema from the permission to the associated subject, treating each "step" in the walk as its own problem to be solved. This allows for partial short-circuiting of subproblems, but requires waiting for all branches to return results if any branch returns a negative result. The SpiceDB system can handle these complex permissions systems by caching problems for reuse and executing them in parallel, ensuring good performance.