|
|
|
|
|
|
by TriNetra
1902 days ago
|
|
|
Do you plan to add ABAC permission policies consisting of an expression of arbitrary attribute-based conditions for the object? Say 'o.group = 'guest' AND o.location in ['CA', 'WA']. Recently a prospective client, coming from the world of Active Directory, has expressed a need for such a feature in ASPSecurityKit. I haven't read the Zanzibar paper, but In ASPSecurityKit we've implemented ACLs on a similar concept – we call it activity-data authorization (ADA) [0]. Since it works as part of your application as a library, it can inspect request and automatically discover and authorize access to objects [1]. The attribute-based permission policies for users is something we're evaluating now. 0: https://youtu.be/u9NnBNEMpF4
1: https://aspsecuritykit.net/docs/article/how-to-perform-activ... |
|
|
Basically the idea is to check the attributes before actually forwarding the request to Keto. That could be done through e.g. a OPA integration. This can scale much better IMO than just doing everything in OPA.