[sparsely]

This looks so cool. I've always wanted something like this, especially being able to write the policies in Rego. I can't work out if it supports delegation though, i.e. service A temporarily allows service B to access a resource which normally only A has access to.

[viovanov]

If the caller can authenticate with the services, I think you can write some rego that does something like this. I'm interested in what the flow looks like. Does the caller talk to A first to initiate this delegation?

[gertd]

You can create rules which take in to account that there is a temporary grant, you do need to account for that somewhere in the form of accessible state. This could be achieved using the tenant level resource state, which is immediately updated and can be referenced from the rego rule.