With Ory Permissions I understand that to check permissions we can, for example, use this endpoint https://www.ory.sh/docs/reference/api#tag/permission/operation/checkPermission however what if there are multiple items on a dynamic web page for which we want to check if the user has the permission to read/update any of them. For example, a page loads, and we have permissions set for whether the user can: 1. View a list of items 2. Edit items in the list 3. Delete items in the list For one page load we would have to make 3 API calls (and potentially more, say to check if the user even has access to the page) to check each individual permission. Seems rather inefficient, no? Even if the response times are awesomely fast, still I can imagine us being rate limited for making so many requests. I feel like I'm missing something that should be really obvious. What's the correct way to do these permission checks? Just in case you want an example set of relations and permission model for reference, see below:

Subject       Relation      Object
User:2        manager      Practice:1

import { Namespace, SubjectSet, Context } from "@ory/permission-namespace-types"

class User implements Namespace { //system user roles
  related: {
    superadmin: User[]
    practiceUser: PracticeUser[]
  }
}

class PracticeUser implements Namespace { //practice user roles
  related: {
    owner: User[]
    manager: User[]
    user: User[]
  }
}

class Practice implements Namespace {
  related: {
    manager: (User | SubjectSet<PracticeUser, "manager">)[]
    user: (User | SubjectSet<PracticeUser, "user">)[]
    owner: (User | SubjectSet<PracticeUser, "owner">)[]
  }
  permits = {
    practiceUserSentInvitation: (ctx: Context): boolean => this.related.owner.includes(ctx.subject) || this.related.manager.includes(ctx.subject),
  }
}

A batch check API is on the backlog https://github.com/ory/keto/issues/812 We have no ETA though, would you be interested in moving this forward? As you said, as a workaround you can do multiple calls.

Thanks for the response. Well, we could do multiple calls, but my concerns are that: 1. It may noticeably slow down webpage loads. 2. Multiple calls risks getting rate-limited by Ory Network. Do you feel the above are likely to happen? If so, then yes, we'd need a better solution.

Let's put it that way: a bulk check API takes maybe around one day of work, so not a lot. If there is a paying customer in need, we have a good argument to do it.

Sorry, I'm not sure what you mean. Can you elaborate?

We have to prioritize what we work on, which is mainly what paying customers need. This is very well a solvable problem, so if you become a paying customer and have this issue, we can prioritize this. Makes sense?

Oh now I understand what you mean. Thank you. Well, we are paying for Ory Network. We haven't tested it with multiple calls yet, so we don't know if it's a real problem in practice. We'll try it and let you know.

Sure 👍

Just to provide an update, we've found another way to solve this by refactoring our permission model so that multiple permission check API calls are no longer needed while still providing the granularity we need. So far so good, but we'll let you know if it falls short and batch checks become necessary.

I don't mind adding that we could really, really need some bulk checking support. Like, we already have bulk permission checks in our internal api, but under the hood, we iterate through the checks one by one when making them to Keto 🥲