[m3h]

How does an external authorisation service work without the knowledge contained in the application’s database? And vice versa, how does the application make the efficient correct queries from its database when the authorisation information has been externalised?

[gneray]

This is the single-biggest drawback to purely Zanzibar-based architectures. The problem with requiring the authorization system to own all authorization data is that there’s really very little pure authorization data in any application. The majority of it is just application data that is sometimes used to make authorization decisions.

Here's a technical post that details these implications in practice: https://www.osohq.com/post/authorization-for-the-rest-of-us

And another post that describes an alternative approach, Oso: https://www.osohq.com/post/local-authorization

(Shocker: I'm cofounder/CEO of Oso)

[EgeAytin]

Actually, it also externalizes and centralizes the authorization data, so it won't work without the knowledge contained in the application database that could affect any authorization decision.

Permify provides a Permission Database[0] that unifies the authorization data (as a collection of Access Control Lists - ACLs) in a database of your choice, serving as the single source of truth for all authorization queries and requests via the Permify API.

[0]: https://docs.permify.co/getting-started/sync-data

[rzzzt]

Let's say I want to use the model outlined in the "File Storage" example. I set up and populate my permission DB accordingly with file permissions, organization and group assignments, etc. I also have an index filled with metadata related to the files that users have uploaded to my service and not just one, but two 500 GB laptop hard drives dedicated to file storage.

User "A" comes along and searches for files matching "ragtime". I can ask the permission DB to return the ID of 1499 files "A" has (directly or indirectly) access to, and also run a free-text search to return cca. 195700 files with a title, description or indexed content that matches "ragtime". But what happens next? Can I return an accurate search hit count or filtered result set to the user from his limited access-point of view? Do I need to move metadata into the permission database to do so?

[EgeAytin]

While we don’t have exact solution or workflow for handling this case, I can suggest an approach that might help.

Assuming that you apply pagination to the search results, you can send the results to Permify one by one, as you'll only be displaying a limited number to the user. Permify is designed to handle millions of requests per second, so this approach won't cause any issues for your specific case.

While this solves the issue, sending multiple checks at once could create a problem as the number of items on the page increases, though it shouldn't be much of a problem even 500 items.

[rahkiin]

You can do three things according to Openfga of which the basic two are: ask permify for a list kf all accessible files and match them with the search result. This works best if number of hits is large and number of owned files is small. If number of owned files is large and hits is small then you can ask ‘which of these N files does user U have access to’ where you send the list of search hits.