Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

I'm looking to creating a "service account" that has access to everything, how would you go about representing that in Keto?

For example: I have a workload that is authenticated as "<mailto:servername@internal.company.org|servername@internal.company.org>", it connects to an internal API "Books" and wants to be able to list all books by all owners. The Books API knows the requester is authorised as the service account but when querying Keto where the resource doesn't belong to that service account so it needs a way of accessing *all* books.

If you want to represent this in Keto right now, you'd have to add the corresponding tuples for each book explicitly.

With userset-rewrites, which we are working on currently, you can in the future define rules for "traversing" or "deriving" relations, e.g., when all books are contained in a library, then you can define a service account on that library, and tell the system that all library service accounts have access to all contained books.

But either with or without userset-rewrites, if there is no direct or indirect relation between the authenticated subject (in this case the service account) and the object (the book), then there is no access.