Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello everyone, I’m evaluating Keto to use in one of the systems I’ve been developing as an authorization service. I am somewhat aware of the limitations Keto currently has (subject set rewrites etc.). In the system, we have a set of users and we have a requirement to have RBAC-like access control as well as more granular access control such as controlling access to individual objects and resources. these are the questions I have:
1. When integrating keto with a system that already has a user base, do we have to create relation tuples of every user to reflect every default permission a user has?
2. Does Keto support connecting to an existing userstore (ex: LDAP) when building permission models? 

1. If you already have an authorization service that you want to replace, you can use some API gateway or reverse proxy to run them side by side. Otherwise you will have to create all relation tuples for every user and object up front.
2. Keto does not care about where your users are authenticated, how a user id looks like, or what even a user is. You can wire it up with any system through your code.

Thank you very much for the clarifications