[alex-olivier]

Disclaimer: I work for Cerbos[0].

Whilst this is a very good approach when all your data is stored in a single datastore, as applications grow it is common to start breaking out into more optimised data stores eg you may have few relational databases, a fast lookup source and a search index. This presents a problem of enforcing authorization down into each system.

An alternate way to tackle this is to have the authorization system produce the conditions which need to be applied dynamically at request time (with all the relevant context) which can then be pushed down to each fetching layer as needed [2][3]. This gives far more flexibility in the sorts of authorization rules which can be applied to the data and doesn't tie it to a single bit of technology.

As a real world example we have an integration with Prisma[3] which maps a query plan into a Prisma query format dynamically based on the context of the user and the currently live policies[4].

[0]: https://cerbos.dev

[1]: https://cerbos.dev/blog/filtering-data-using-authorization-l...

[2]: https://docs.cerbos.dev/cerbos/latest/api/index.html#resourc...

[3]: https://prisma.io/

[4]: https://youtu.be/lqiGj02WVqo?t=3601

[nhoughto]

ah cool, i've implemented a similar thing but baked into the app dao+authz layer (so easier to do).

I would never guess people would use row level security for this for the reasons you've outlined, rarely (?) is one database the only resource you need to authorise access to, so you will need an authz for all non-db things anyway. Always assumed row-level authz was more for data warehouse type applications where a User has a client directly connected to a database, not intermediated thru multiple levels of abstraction.

Cerbos approach logically seems to make more sense to me than the general Zanzibar inspired methods like Authzed and others. I could never wrap my head around how they could authorise access (Pre and Post filtering?) to data without pushing down conditions to join with into the store. Actually having a 3rd party system like Cerbos be able to push down conditions and have good ergonomics is another thing, that is a tough problem.

[gavinray]

This is a really neat and innovative idea. Just burned about an hour going through your website and watching the YouTube demo.

One piece of feedback I have -- I wasn't entirely sure what I was looking at from the homepage, there's a lot going on messaging and content-wise and I had to watch the video to get it.

Maybe something more to the point like "Takes policies, converts them to adapter-specific filter conditions that you tack on to your queries" might be helpful

[ewuhic]

Does it provide a standalone UI with possibility to expose it to the end-users?