Eya! We're developing proof of concept which uses the Ory stack and we would like to store a Permission model into Keto. The model consists of a few entities •

User

which is the user •

Person

which is owned by a

User

(a 1:1 relationship) and a manager can view multiple

Person

.. a

Person

works and has multiple

Workday

•

Workday

which is a resource we would like to protect .. it can only be viewed by the creator and the person who manages the

Person

We would like to separate the concern of permissions from our API such that we can point to Keto to fetch the permissions and this concern is being handled there instead of being implicitly encoded in backend of the API. There are a few questions though: • When listing

Workday

for a

Person

we would like to retrieve the identifiers which the user has access to. We also would like to sort the

Workday

on certain attributes inside our backend. However the documentation states that using the list API you cannot sort on any attribute? Also you might want to filter on a specific attribute, leaving out workdays .. The domain model of our API is in that sense still strongly coupled with permissions.. What would you do to solve this? • How would you deal with large amount of access permissions ? It's very likely that there will be many

Workday

entities for a specific

Person

.. so if we list all our workdays for the past 3 years, how would Keto handle this? • When we insert a entity via our API into the database, the Keto API also needs to be updated.. what's the typical strategy to do that? Using a event model, you'll have a audit log of what happend to the permissions and the keto permissions model can be updated through this by ingesting the events. However using a eventful model it will be come eventually consistent, which can be troublesome when you emit a event when adding a

Workday

and right after list your workdays. The consumer of the events which will update has some latency (eventual consistent). Would you instead use RPC instead? So when adding a

Workday

reach out to Keto as well? The downside of that is though, that if the database of our API works, but Keto is down you won't get the permission :)