Hi All, I am trying POC on keto. My app is a banking application here I have to support very fine grained permission. Example: Given user has some ABC role And has category XYZ And is of grade X1 And tranfer_money_limit is less than X amount Then user id eligible to do this transfer operation. We might have many as such scenarios , and I want to define these permission on runtime. Can keto handle such scenarios at runtime ? If yes how ? Wanted to get your expert opinions before I start something. TIA

Theoretically yes, although I'm not sure it's entirely advisable. So, a few things to address here: 1: You usually never want to explicitly check for a role, rather you want to check for a permission that the role possesses. 2: Checking category and grade, sure, although I'm still not entirely convinced this should be a permission - it sounds like it belongs more in the business logic? 3: Keto inherently returns booleans, not ints. Ie, keto is supposed to receive pretty simple yes/no questions, and respons with true or false, ie: Can this user view this file? False. So adding numerical comparisons also seems somewhat out of scope for Keto. The thing that keto could be used for, is closer to "Can this user transfer funds from this account number?" (ie, object permissions) or "Does this user belong to this company?" (ie, group permissions), or "Is this user allowed to credit funds?"

Thanks for replying, I am trying to look at Boolean results only. But here I might also look in the amount attribute if it is less then a certain amount the role is eligible for certain permission else not. Correct me if I am wrong , these scenarios are well taken care of by ABAC approach but I think keto supports more of RBAC approach .

Yes, that's correct, keto is a very RBAC-centric approach - more specifically, it's an open-source implementation of Zanzibar, which is a protocol described here (among other places): https://zanzibar.academy/