hi there 🙂 we are currently looking into different options to implement fine-grained authorization for our application (that currently just uses RBAC with Auth0). The most interesting options seem to be Ory, Oso and Authzed. One of the challenges we face is deciding which data should be centralized as part of the authorization service and which should only be kept locally by the application. Oso has this cool feature where you can send "facts" as part of the context of an authorization request ("Hey can this user X transfer funds from this account number Y... and btw for context: this user X is part of organization Z"). This allows for a lot of flexibility in deciding which data needs to stored in a central location and which can be kept local and only passed to the authorization service at runtime when the information is needed for a specific decision. Question: is something similar possible with Ory? P.S. our application isn't in banking but in the electronics supply chain, but I just used the last example in this channel 😉

Is this curl correct for checking the permission in the cat videos example?

ccurl --location 'localhost:4466/relation-tuples/check' \
--header 'Content-Type: application/json' \
--data '{
  "namespace" : "videos",
  "object" : "/cats/1.mp4",
  "relation" : "owner",
  "subject_id" : "*"
}'

Hi All, I am trying POC on keto. My app is a banking application here I have to support very fine grained permission. Example: Given user has some ABC role And has category XYZ And is of grade X1 And tranfer_money_limit is less than X amount Then user id eligible to do this transfer operation. We might have many as such scenarios , and I want to define these permission on runtime. Can keto handle such scenarios at runtime ? If yes how ? Wanted to get your expert opinions before I start something. TIA

Hey everyone. Why does

/relation-tuples/check/openapi

of the

oryd/keto:v0.11.1

return 200 OK when the relation tuple doesn't exist (and the

allowed

property of the JSON response is false) ?

How can we implement multitenancy using multiple Kratos instances and a self-service Node.js UI?

Hi , I am new to keto and was trying to explore the same and implement the same for POC Just wanted to check how's OPL config is different from the relationship or permission API. Can someone point me to documentation, not sure if I am missing something. But as per my understanding namespace and relationship can be created both using OPL config and API .

Does Keto have support for

sqlite

as a DB engine? I tried it and it didn't workout, am I missing something.

Hello, I'm working with Ory's suite of self-hosting solutions and I have a question about using Ory Keto: Is it possible to manage the start and end dates of access to one or more resources? I couldn't find any information about date management in the Ory Keto self-hosting documentation. To give you some context for my use case, I've modelled three Entities in Ory Keto: •

User

, which represents a user •

Offer

, which represents a group giving access to one or more products, and with which users can be associated •

Product

, which represents the resources accessible to

User

, with or without belonging to an

Offer

. I would therefore like to be able to define a start date and an end date when I link a

User

to an

Offer

or a `Product`*.* Thank you in advance for your reply. Don't hesitate to let me know if you need more information about my case.

Eya! We're developing proof of concept which uses the Ory stack and we would like to store a Permission model into Keto. The model consists of a few entities •

User

which is the user •

Person

which is owned by a

User

(a 1:1 relationship) and a manager can view multiple

Person

.. a

Person

works and has multiple

Workday

•

Workday

which is a resource we would like to protect .. it can only be viewed by the creator and the person who manages the

Person

We would like to separate the concern of permissions from our API such that we can point to Keto to fetch the permissions and this concern is being handled there instead of being implicitly encoded in backend of the API. There are a few questions though: • When listing

Workday

for a

Person

we would like to retrieve the identifiers which the user has access to. We also would like to sort the

Workday

on certain attributes inside our backend. However the documentation states that using the list API you cannot sort on any attribute? Also you might want to filter on a specific attribute, leaving out workdays .. The domain model of our API is in that sense still strongly coupled with permissions.. What would you do to solve this? • How would you deal with large amount of access permissions ? It's very likely that there will be many

Workday

entities for a specific

Person

.. so if we list all our workdays for the past 3 years, how would Keto handle this? • When we insert a entity via our API into the database, the Keto API also needs to be updated.. what's the typical strategy to do that? Using a event model, you'll have a audit log of what happend to the permissions and the keto permissions model can be updated through this by ingesting the events. However using a eventful model it will be come eventually consistent, which can be troublesome when you emit a event when adding a

Workday

and right after list your workdays. The consumer of the events which will update has some latency (eventual consistent). Would you instead use RPC instead? So when adding a

Workday

reach out to Keto as well? The downside of that is though, that if the database of our API works, but Keto is down you won't get the permission :)

Hey all, In the docs one of the things I saw was in HTTP API for ketos on self-hosting. There are relationship APIs with permissions. Cant we use them on self hosted ketos version and add or update or delete the relationships in real time? https://www.ory.sh/docs/keto/reference/rest-api

Hey all, can we use OPL language with self-hosted version. or how could we use any one knows? The documentation is a bit obscure, I couldn’t find anything or couldn’t figure out anything out of the

CLI

. One another thing, is it possible to give multiple namespaces to Keto, in a single file? I know it cannot parse multiple entries (JSON or Yaml) since it tries to convert the incoming reading data to

namespace.Namespace

which is a single item. Many thanks in advance.

For Keto, I see different imports depending on the webpage. Should we be using @ory/permission-namespace-types or @ory/keto-namespace-types?

- id: "oryketoanonymous" upstream: preserve_host: true url: "http://keto-api:4457/" strip_path: /.ory/keto/public match: url: "http://my-obsidian-edtech-dev.info/.ory/keto/public/**" methods: - GET - POST - PUT - DELETE authenticators: - handler: anonymous authorizer: handler: allow mutators: - handler: noop I have this rule in my oathkeeper PUT -:http://my-obsidian-edtech-dev.info/.ory/keto/public/admin/relation-tuples { "namespace":"access", "object":"obsidian", "relation":"view", "subject_id":"ankit", "subject_set":{ "namespace":"obsidian", "object":"ob-dev", "relation":"member" } } i am trying to create a relationship but i am getting this error -> 404 page not found , i am not understanding what is the reason of this error

unable to initialize config provider: open /home/ory/keto.yml: no such file or directory getting this error when running docker compose command

Hi can anyone help me out with this error keto-keto-migrate-1 | stat ./keto_namespaces: no such file or directory keto-keto-1 | time=2023-11-05T002736Z level=info msg=No tracer configured - skipping tracing setup audience=application service_name=Ory Keto service_version=v0.11.1-alpha.0 keto-postgresd-1 | ERROR: relation "schema_migration" does not exist at character 15 keto-postgresd-1 | STATEMENT: SELECT * FROM schema_migration keto-keto-1 | Migrations were not applied yet, please apply them first. keto-keto-migrate-1 exited with code 255

Hi can anyone help me out with OPL where I have multiple modules within the system : • Appointment • Finance etc. I have the following permissions in Appointment modules 1. Create appointment 2. Delete appointment 3. Update blockouts etc. I have roles which are assigned to the user. Can anyone help me write the OPL for this RBAC.

HI. how would one implement in keto // opl as system where a user has permissions. But has to 'activate' his current task. example: For task X he can access A. But for task C he can only access B and no longer A. some users have multple tasks / roles between he can switch. Tasks[A, B] Tasks[A] -> DFG Tasks[B} -> FX If task A is 'active' access to DFG is ok. if taks B is active access to FX should be given.

it is for checking the role ,what is want is to assign a role to user after it's registration,for that i want it's id or session info

how can i link keto and kratos ? I want to assign roles to the users registered through kratos so that i can get it's ID and i can assign roles

Hi, I'm trying to evaluate Keto as a FGA solution. This is my permission rules and I've shared my relationships below. I'm trying to see all

Positions

that a subject can see. When I provide a subject ID in the GET /relationship-tuples request, it doesn't respect this field. Am I doing something wrong? I would expect the response to be empty given that the subject_id

test

does not have a relationship to any of the namespaces

import { Namespace, SubjectSet, Context } from "<@U010S8T03NG>/permission-namespace-types"

class User implements Namespace { }

class Position implements Namespace { 
  related: {
    manager: Position[]
    viewers: User[]
  }
  permits = {
    view: (ctx: Context): boolean =>
      this.related.viewers.includes(ctx.subject) || 
      this.related.manager.traverse(p => p.permits.view(ctx))
  }
}

class Req implements Namespace {
  related: {
    positions: Position[]
  }
}

class SensitiveFields implements Namespace {
  related: {
    positions: Position[]
  }
}

I am trying to implement RBAC using ory keto.I have an API which fetches data from db and i want to restrict user such that a user of a particular type can only access the data . For eg if i have two types of data in my db such as A and B ,what is want is A to be accessed by admin and B to be accessed by other user.how can i achieve this?

Hey all - I’m new to keto, and I’m pretty confused about whether or not subject set rewrites are implemented, and how to get them to work. I have a simple model of

Clients

,

Groups

and

Users

. If a

User

is a member of a

Group

which is an accessor of a

Client

, then the

User

has permission to

access

the client. My OPL file:

import { Namespace, SubjectSet, Context } from "@ory/keto-namespace-types";

class User implements Namespace {}
class Group implements Namespace {
  related: {
    member: User[];
  };
}
class Client implements Namespace {
  related: {
    accessor: SubjectSet<Group, "member">[];
  };

  permits = {
    access: (ctx: Context) => this.related.accessor.includes(ctx.subject),
  };
}

My relations in RTS (I have no idea what this syntax is officially called:

Group:admin#member@User:woodywoodsta
Client:uptime-kuma#accessor@Group:admin

My relations in JSON, as queried from what I currently have loaded into keto:

{
  "relation_tuples": [
    {
      "namespace": "Client",
      "object": "uptime-kuma",
      "relation": "accessor",
      "subject_set": {
        "namespace": "Group",
        "object": "admin",
        "relation": ""
      }
    },
    {
      "namespace": "Group",
      "object": "admin",
      "relation": "member",
      "subject_set": {
        "namespace": "User",
        "object": "woodywoodsta",
        "relation": ""
      }
    }
  ],
  "next_page_token": ""
}

If I check using a POST check with a body of:

{
  "namespace": "Client",
  "object": "uptime-kuma",
  "relation": "access",
  "subject_set": {
    "namespace": "User",
    "object": "woodywoodsta"
  }
}

I get

false

, however it is my understanding that the

this.related.accessor.includes(ctx.subject)

portion of my OLP effectively defines the subject set rewrite. What am I misunderstanding here?

Sorry, wrong channel. I created a message in the proper one. Hello everyone, I searched the channel with no success looking for an answer to my question, sorry if someone already asked about it and I missed it. We are currently using Hydra and Kratos. We allow users to sign up with a login/password OR use a social login (Google, Apple, Microsoft…). To display accurate information in a settings page, would like to know if a user has already created a password. I tried using the Kratos Api with the GET /admin/identities/{id} endpoint (https://www.ory.sh/docs/kratos/reference/api#tag/identity/operation/getIdentity). User who signed up with the username/password method have a property password (perfectly understandable so far) but the user who signed up with a social login as well. How can I know if a user has already set a password ? Is there an API endpoint that allows me get this piece of info ? My “kratos-container” knows for sure this information as he doesn’t provide a setting ui node to “unlink” the social login as long as a user hasn’t set a password yet (using the Get setting flow endpoint : https://www.ory.sh/docs/kratos/reference/api#tag/frontend/operation/createNativeSettingsFlow) Many thanks in advance ! 🙏

Hi ! I am new to Ory! I have been exploring Ory Keto aiming to implement the permission management in my microservices based SAAS CRM software. There will be in total 3 roles in the entire application, Superadmin, Admin and User. That means I need RBAC mechanism instead of implementing extensive granular permission management which is unlike the way Keto documentation explained in the Ory website (i.e., Owner, Viewer, Editor of Document etc ). Can anyone suggest me any example code/way that is related to my case scenario? I really appreciate your help🙂

I am guessing there is an answer already for this but I can’t figure out the right search. I saw an example video where an API end point posts and gets files with a username. They build out Keto to protect access to files based on the username which makes sense. Assuming I might want to query ‘all files for user’, I am assuming the username should also be stored in the db with each file? My follow up question would be, if the username on the db row changes there would be a mismatch between the permissions and the data itself right? I would always need to make sure to edit the Keto rule and the db row when updating?

Hi everyone, are subject set rewrites (defined in the OPL model) not honored in the list and expand APIs? I could only get them to work in the permission check APIs. Is there any alternative way to get these rewrites in list/expand APIs? I initially thought to create explicit relation tuples for relations that would be otherwise implicitly inferred through the model, but it is leading to a lot of extra relations as my model has parent/child hierarchy of objects.

Are there any in-depth & up to date write ups comparing spicedb with ory/keto?

I am curious how peers are handling list type queries. Currently I am listing the relation tuples that fit the query, then using all the object id's to make the request to the database. It seems highly inefficient when Oathkeeper handles all my other checks with an authorizer to

relation-tuples/check

, but for list I set the object to

*

and that's my object reference for this type of relation for getting a list of objects from the db.

Hi folks 👋 I am conducting a bit of an evaluation of OSS zanzibar-based systems currently, and I'd be very interested if anyone has some numbers/names around companies using keto(OSS) and keto (as part of ory cloud) in production. Anything is helpful 🙂