Hello :slightly_smiling_face:
Question about Keto...
# generala
ambitious-notebook-80494
02/10/2025, 3:41 PMHello 🙂
Question about Keto / Ory permission language: is Keto / OPL the right place to manage whitelists / blacklists and a trial status or not?
Our app has accounts, which own users. Non trial users can access all posts on our app except the one they are
blacklisted on, and for trial users it's the opposite: they can view only whitelisted data.
Sorry if it sounds dumb, I'm new to permissions systems.
s
steep-lamp-91158
02/10/2025, 3:50 PM
Hey, this is something you can definitely do using Ory Permissions.
Simple example OPL:
Copy code
class TrivialUser implements Namespace { }
class NonTrivialUser implements Namespace { }
class Post implements Namespace {
related: {
allowed: TrivialUser[]
denied: NonTrivialUser[]
}
permits = {
view: (ctx: Context) => this.related.allowed.includes(ctx.subject) ||
!this.related.denied.includes(ctx.subject)
}
}a
ambitious-notebook-80494
02/10/2025, 3:54 PMThank you, I'll see how I can have this in the model I am building 🙂
I think I don't get the grasp of it yet
ambitious-notebook-80494
02/10/2025, 4:49 PMFound the issue
ambitious-notebook-80494
02/10/2025, 4:49 PMfound the issue
m
magnificent-energy-493
02/10/2025, 6:24 PM
instead of editing your post you can follow up with your fix, however trivial it might be.
it will be part of our archive then and might help other users having the same issue!
a
ambitious-notebook-80494
02/12/2025, 8:52 AMHi @magnificent-energy-493
Right, basically I couldn't resolve the relation properly. In my mind, having a Project in the « projects » of an Account, and a User in the « members » of an Account was enough to check if a Project can be viewed by a User.
What I learned is that the Account must also be in the « viewers » of my Project, meaning having these relations:
User in members of Account
Account in viewers of Project
Instead of:
User in members of Account
Project in projects of Account
ambitious-notebook-80494
02/12/2025, 8:55 AMMy experience so far is that this representation of permissions is at the same time logical, but also hard to grasp. It's not easy to build a mind-repesentation of it.
Also, things i struggle with is how to give « attributes » (like account on trial, user is admin, …) to my objects. I start to understand that TrialStatus and AdminUsers should be Namespaces on their own for it to work. The other solution would be to move this out of my permission system, but then it means my code need to combine check from our DB with permission checks, which I don't find very practical and more error prone.
s
steep-lamp-91158
02/12/2025, 11:43 AM
We currently don't support attributes during permission checks, but it is a valid use-case and we have it on the backlog. Your workaround sounds like it would work, i.e. having different namespaces.
3 Views