We can model Cloud Spanner permissions using relationship-based access control, allowing for fine-grained access decisions. The approach separates permissions from roles, enabling users to gain access to a whole class of objects, not just a particular instance. We define the object types and their relationships in the hierarchy, including instances, databases, sessions, database roles, and operations. We also model custom roles with explicit permissions and bind them to specific users, projects, or instances. The final step involves using these bindings to make access decisions by referencing role binding permissions in specific instance and database permission computations. This approach allows for a high degree of customization and flexibility in modeling Cloud Spanner permissions.