To answer your question about creating new permissions in Ory Keto when users create new objects, let's look at the best practices and common approaches: 1. Creating relationships using the API or SDK: The most common and recommended way to create new permissions is by using the Ory Keto API or SDK to create relationships when new objects are created in your application. This is typically done in your backend code. [Creating relationships using the CLI](https://www.ory.sh/docs/keto/guides/migrating-legacy-policies#creating-relationships-using-the-cli) shows an example of using the Keto CLI to create relationships, which can be adapted to use the API or SDK in your backend:

keto relation-tuple parse alice_policies --format json | \   keto relation-tuple create - >/dev/null \   && echo "Successfully created tuple" \   || echo "Encountered error"

2. Best practices: [Best practices](https://www.ory.sh/docs/keto/guides/simple-access-check-guide#best-practices) for managing permissions include: - Don't cache permission checks - Perform permission checks in every critical path of the application - Use fine-grained permissions - Audit permissions regularly 3. Automated testing: [Test permissions](https://www.ory.sh/docs/keto/modeling/create-permission-model#test-permissions) recommends automating the testing of your permission model: - Write tests that insert relationships and check permissions through the SDK - For complex changes, use a separate Ory Network project for testing While the documentation doesn't explicitly mention hooks, the common approach is to create permissions (relationships) in your backend code when new objects are created. This allows you to maintain control over the permission creation process and ensure it aligns with your application's logic and security requirements.