Hello Keto folk. In our permissions model we want to have the concept of optionally allowing an action for all users. (e.g. viewing a piece of content that is available to everyone that knows the link to it). I was looking into ways of implementing this within Keto it and wondered if there was any advice on how to go about this. Some of the ways I’ve thought of it would be 1. Have a special subject “PUBLIC” that my application knows about and uses it on each check. Essentially meaning that each permission check must be done twice once to see if a particular subject has access, and then to check if the public subject has access. This appears to be the approach that is hinted at by the quickstart example in the docs, but I’d ideally not do this as it would potentially doubling the number of permission checks my application needs to do. 2. Have an “all users” group as a subject in my permissions model which users get added to when they sign up initially. This would work but I would worry about missing signup events and keeping this consistent with my user database, it sounds like lots could go wrong here. 3. Some kind of magic in OPL which allows me to express an “allUsers” group in OPL, rather than explicitly making it. This (I think) would be my ideal solution, of the three proposals - but I’m not quite sure if/how it could be done. Some pointers would be really appreciated here!

your analysis is right, that are the options you have, but the last one is not yet implemented... I'd suggest to go with the first for now, and migrate to an OPL based approach once available you can do the permission checks in parallel, so it should be only minimal impact on latency

Thanks for getting back @steep-lamp-91158. Any ideas on the timeframe for an OPL solution for this / what it would look like?

no not really... definitely a couple of months