[tucnak]

What you're talking about exists, and it's called Relationship-based Access Control, or ReBAC. There are a few implementations, Zanzibar paper, etc. The issue is not capability system, it's governance. The operator needs to write policies, of course! They don't want to read, write policies, audit other people's policies.

[mrkmarron]

What is your take on usability of these systems? In practice they seem to be rather un-ergonomic and usage devolves into require everything.

As agentic systems seem to mainly interoperate with REST style systems I suspect that using URIs for resource use descriptions would be more natural.

[tucnak]

You're right on ergonomics.

CodeAct is one way to abstract away some things, and bring others to the forefront. Especially when it comes to anything requiring a sidecar for mTLS, or something agents must be aware of, like error handling for whenever some call fails deep inside the stack. Troubleshooting access issues is key, during tool development and when using said tool in production, too. For many, many things, CodeAct is simply superior to naive calling conventions that you see around MCP clients, think OpenAPI.

[jzelinskie]

Sorry to piggyback, but if this is of interest to you, feel free to reach out to me over to email (contact info in my profile). I'm one of the founders of the most popular ReBAC solution, SpiceDB, which secures quite a few AI products including big players like OpenAI. I'm always interested in hearing about more use cases or where folks are struggling the most.

[tucnak]

Hi Jimmy, happy to talk about my experience. I reached out to you over email.