|
|
|
|
|
|
by coredog64
1538 days ago
|
|
|
A former employer (top 5 investment bank) did this as well. There was a central store of identity (well, two: One Windows and one non-Windows). Your application then included it’s own policies (written in Prolog) that could reference identity details and/or deep intrinsic request details. As soon as Prolog hit a condition where it couldn’t unify your request and the policy, you got a no. There’s a similar OSS implementation (OPA) targeting mainly k8s but allegedly useful generically that uses Datalog. |
|
|