Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

What’s the common pattern to denote a public record with Keto?  How do I tell Keto that the answer is always “yes” when someone asks if they can view a specific `File` object (aside from creating a relation tuple for every user in the system)?  Reading <https://www.ory.sh/docs/keto/quickstart|this cat videos example>, I see the usage of a `"*"` principal, but it states that the value doesn’t really mean anything to Keto and that it’s the application that knows to treat that as public.  However, to achieve this then I suppose the application would need to:

1. Query Keto to see if user can view object (in the event of a public object, this will be denied as there won’t be an explicit relation tuple)
2. Query Keto so see if stand-in principal (ie `"*"`) can view object
Is that the right way?  Always do a second lookup if the first principal is denied?