|
|
|
|
|
|
by magicpointer
1067 days ago
|
|
|
One approach that can be used is to use the centralized service to answer a broader question like: given this user, what rules can I use to know if a document is accessible for them. And have the service give you a set of rules to apply. Then take the result and embed those restrictions in your query. An example access service response would be: this user can access data from groups they are part of + documents for which a share exists towards this user + documents for which a share exists to any of the users' groups. Such an approach using OPA is described in https://blog.openpolicyagent.org/write-policy-in-opa-enforce.... This is not exactly the same as the first option you described, because instead of storing access controls in the index data, you use the available metadata + the rules from the access control service. |
|
|