Hey guys I have implemented Ory Keto in production to contro Ory Community #talk-keto

Hey guys! I have implemented Ory Keto in productio...

lemon-apartment-14887

08/04/2023, 11:14 AM

Hey guys! I have implemented Ory Keto in production to control access to HTTP API endpoints (with RBAC). So I have a few namespaces: • Endpoint • Permission • Role • User Now I want to be able to mark endpoints, permissions, and roles as active/inactive. For example, an inactive role would still contain all the permissions but anyone with this role would not be able to access the permissions and endpoints, that this role provides. The same idea with permissions and endpoints. How would you implement that? I am thinking of creating a new object "noone" and saying that if this role provides access to the "noone" object, than no one is able to access all other objects, to which this role provides access. Is there a better way? What do you think guys? Any Keto experts here?

lemon-apartment-14887

08/04/2023, 12:07 PM

This is what I came up with:

Copy code

class Endpoint implements Namespace {
    related: {
        permitted: SubjectSet<Permission, "assignee">[];
        disabled:  "default"[]
    };
    permits = {
        access: (ctx: Context) =>
            this.related.permitted.includes(ctx.subject) && !this.related.disabled.includes("default"),
    };
}

/**
 * {
 *     "namespace": "Endpoint",
 *     "object": "POST /some/legacy/action",
 *     "relation": "disabled",
 *     "subject": "default"
 * }
 */

4 Views

Open in Slack

Previous Next