https://www.ory.sh/ logo
#talk-keto
Title
# talk-keto
@User Ideally there would not be implicit permissions, but you have all of them in Keto.
c

clever-shoe-40931

01/10/2022, 10:50 AM
Okay. Do you have a pointer to implicit permissions?
s

steep-lamp-91158

01/10/2022, 10:52 AM
In cases where you say "user has permission x when they have permission y" you would use subject set rewrites https://github.com/ory/keto/issues/263
but as that is not yet implemented, you will have to explicitly add the tuples, or alternatively add a logic layer in front of keto that you can then remove once the rewrites are available
maybe

https://www.youtube.com/watch?v=A_IH_1NW7cM

can inspire you 😉
c

clever-shoe-40931

01/10/2022, 11:32 AM
It is more along the lines of user X and Y have some permissions each. Now Y “delegates” to X. And X gets to do what Y can. (There may be some restrictions in reality) How do I store this in keto?
s

steep-lamp-91158

01/10/2022, 11:47 AM
maybe it would then make sense to create a "group" per user, and initially only the user is member of their group then instead of adding tuples like
n:obj#access@user
you add
n:obj#access@users:user-id#can-act-as
and add one like
users:user-id#can-act-as@user-id
i.e. every user can act as themselves, but you can also have someone else act like you
c

clever-shoe-40931

01/10/2022, 11:49 AM
I haven't internalised the workings far enough how that would work.
Then I would need to query for the existence for can act as as well?
And I need to do that recursively
s

steep-lamp-91158

01/10/2022, 11:50 AM
10 Views