Hi we are investigating using Ory Network Permissions for on Ory Community #ory-network

Hi, we are investigating using Ory Network Permiss...

bitter-greece-62664

08/27/2025, 7:01 PM

Hi, we are investigating using Ory Network Permissions for one of our application and we are hitting (I think) this issue https://github.com/ory/keto/issues/1060 Our namespace and rules looks like this

Copy code

class User implements Namespace {}

class Role implements Namespace {
    related: {
        members: User[]
    }
}

class Asset implements Namespace {
    related: {
        admins: SubjectSet<Role, "members">[]
        managers: SubjectSet<Role, "members">[]
        readers: SubjectSet<Role, "members">[]
    }
    permits = {
        create: (ctx: Context): boolean =>
            this.related.admins.includes(ctx.subject),
        read: (ctx: Context): boolean =>
            this.related.readers.includes(ctx.subject) ||
            this.permits.create(ctx) ||
            this.permits.update(ctx) ||
            this.permits.delete(ctx),
        update: (ctx: Context): boolean =>
            this.related.admins.includes(ctx.subject),
        delete: (ctx: Context): boolean =>
            this.related.admins.includes(ctx.subject),
    }
}

If we perform a permission check like

GET /relation-tuples/check?namespace=Asset&object=asset_a&subject_id=User:user_a&relation=read

We get

{"allowed":true}

as expected. We now want to get the list of asset a user can read. So we use the expand api

GET /relation-tuples/expand?namespace=Asset&object=9e4bb2e5-c9bb-4882-801d-4092cdb6b166&relation=read

And here we get

no relation tuple found

But using a direct relation like `GET /relation-tuples/expand?namespace=Asset&object=9e4bb2e5-c9bb-4882-801d-4092cdb6b166&relation=admins`` yield the tuple. If we are not able to use the expand api to get the information, we'd need to reproduce the

permits

section in our application. Which seems counterintuitive.

steep-lamp-91158

08/28/2025, 12:00 PM

That issue is on the backlog for a long time now (was incorrectly closed by the bot). We are actually looking to put a lot more work into Keto in the next months, including this case. It will still take a bit of time though.

bitter-greece-62664

08/28/2025, 1:08 PM

Is there a way to track the status of this, if it's on the radar that's fine, we can continue to implement and we'll switch back to using

permits

when implemented, but it'd be awesome to be able to track this

steep-lamp-91158

08/28/2025, 1:13 PM

we will for sure publish it in the changelog that you can see in #C010F2N7XR9

bitter-greece-62664

08/28/2025, 4:18 PM

@steep-lamp-91158 should I inline my permits as related in the meantime and update it accordingly?

steep-lamp-91158

08/28/2025, 4:23 PM

Yes thats one common workaround. Also check out https://www.ory.sh/docs/keto/guides/list-api-display-objects#application-context

Open in Slack

Previous Next