Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi! We are on the essentials (legacy) plan (project ID `e0dab914-144d-4613-a1af-43e47a6604ab`) and we're self-hosting keto for permissions checks.

We want to introduce the concept of a "suspended" state for teams, so that permissions checks that would otherwise succeed, fail if the user's team is suspended.

We are thinking that the best way of doing this is to run a ListRelations call to get an object's teams relations and then run a separate check on those teams to see whether they have a relation to a singleton node in a teamRestrictions namespace. This, however, adds two extra calls to the permission check.

Is there a way / recommended pattern for this use case? We tried these two options but it seems that the OPL spec isn't expressive enough
• Add a transitive check to see if an object's teams have a relation with the suspended object. Failed because we can't change the context you pass onto the transitive iterator function
• Add a static check to the TeamRestriction namespace: `restricts = (ctx) =&gt; true` and then add a `hasNoRestrictions = (ctx) =&gt; !this.restrictions.traverse(r =&gt; r.permits.restricts(ctx)` . This failed because OPL doesn't support boolean constants.
Any pointers / help would be appreciated!