Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi! Whats the best approach to listing objects that User has permission to?
For e.g User has thousands of posts, and all ACL is stored in keto. Should I query keto to get all ids, and then filter it in database with ordering, pagination and filtering?
Looks a little bit too much for me to query all entities user has access to in a single list request, that might return 20 or something like this?

I had the same question regarding search results: our API should return a page of an expected size from search results with multiple filters applied on top of which comes authorization filtering. Our authorization system perfectly fits into the Keto model, with all the hierarchical approaches, however it's completely unclear how to make such requests without significant degradation of response times.