Hi @channel, We are investigating Ory Keto to manage our ACL's and we are currently experiencing an issue, more than an issue it's a foundamental question, HOW can we manage synchronized ACL's of document stored in a separated mongo database, and more deeply how could we filter document in mongo db by creation_date or object_ids or any other field without passing all document ids that i retrieve from Keto?? Use case & diagram:

I have a book Collection which we can describe as:

message Book {
  string title = 1;
  string Author = 2;
}

I am the owner of this book but I can also share my book with a list of users or in a group and all those informations are stored in KETO.
So now i would like to list the 10 last books owned by me or shared with me which contain a "t" in the title.


Client ----> Envoy ----> gRPC Service -----> MongoDB
                              |
                              |----> Keto (manage Access Control of documents stored in MongoDB)

I am pretty sure there is a missing piece in the middle but I cannot see how to resolve this problem, so 2 options: • we are completly dumb or blind or we have some comprehension issues with the techno • Keto was not designed to solve this problem Thank you very much for your help :)

There are some upcoming features to solve this, but they are not there yet. However, as a lot of people are hitting this wall we prioritize this and will solve it in the next few months.

Hello @steep-lamp-91158 thank you very much for your really quick answer 🙂, i have 2 more questions (if I may) for you, could you please: • giving us a global overview of the required features that would be added in Keto to solve this problem and if you can communicate on the roadmap (dates ?) • Do you know if there is any external tool / generic design that could be used in addition to KETO to resolve the problem during this transition period ? Thank you again !!

We unfortunately cannot give out exact dates for open source features, but we could prioritize better if you are an Ory Network user. The relevant open source issues are probably https://github.com/ory/keto/issues/689 and https://github.com/ory/keto/discussions/551 They should mention some workarounds. I recommend to also have a look at https://www.ory.sh/docs/keto/guides/list-api-display-objects