Hi Ory Keto team, I have a question about getting a list of permissions of a user from Keto. Assume the following scenario where we have two users (Sarah and John). Sarah is a member of the group managers and that group has the admin role assigned. John is a member of the group employee which has the user role assigned to it. The admin role has permissions to create, delete and view and the user role has just the permissions to view

permissions:create#allowed@(roles:admin#has)
permissions:delete#allowed@(roles:admin#has)
permissions:view#allowed@(roles:admin#has)

permissions:view#allowed@(roles:user#has)

roles:admin#has@(groups:manager#member)
roles:user#has@(groups:employee#member)

groups:manager#member@sarah
groups:employee#member@john

When using the expand API as follows, it allows me to list all the users who have the create permission

keto expand <relation> <namespace> <object>

keto expand allowed permissions create

However, is there a way to get all the permissions assigned to the user Sarah? Like get create, view, delete as the list of permissions allowed for Sarah The only way I found was to explicitly list Sarah’s groups, then roles attached to those groups and finally get the permissions attached to those roles, which will make at least 3 API calls. Thanks in advance!

Hi, this would be a "reverse" expand, and is currently not supported. But I agree that this would be a useful feature, especially when displaying UIs based on permissions (see https://github.com/ory/keto/issues/689).

Thanks @narrow-van-43826 for the response. And I agree with you. This would be highly useful when displaying UI based permissions and issuing user tokens embedded with scopes or permissions.