<https://ory-community.slack.com/archives/C010F7Z4...
# talk-ketos
steep-lamp-91158
01/10/2022, 10:48 AM
steep-lamp-91158
01/10/2022, 10:49 AM
@User Ideally there would not be implicit permissions, but you have all of them in Keto.
c
clever-shoe-40931
01/10/2022, 10:50 AMOkay. Do you have a pointer to implicit permissions?
s
steep-lamp-91158
01/10/2022, 10:52 AM
In cases where you say "user has permission x when they have permission y" you would use subject set rewrites https://github.com/ory/keto/issues/263
steep-lamp-91158
01/10/2022, 10:53 AM
but as that is not yet implemented, you will have to explicitly add the tuples, or alternatively add a logic layer in front of keto that you can then remove once the rewrites are available
c
clever-shoe-40931
01/10/2022, 11:32 AMIt is more along the lines of user X and Y have some permissions each. Now Y “delegates” to X. And X gets to do what Y can. (There may be some restrictions in reality) How do I store this in keto?
s
steep-lamp-91158
01/10/2022, 11:47 AM
maybe it would then make sense to create a "group" per user, and initially only the user is member of their group
then instead of adding tuples like
n:obj#access@usern:obj#access@users:user-id#can-act-asusers:user-id#can-act-as@user-idsteep-lamp-91158
01/10/2022, 11:48 AM
i.e. every user can act as themselves, but you can also have someone else act like you
c
clever-shoe-40931
01/10/2022, 11:49 AMI haven't internalised the workings far enough how that would work.
clever-shoe-40931
01/10/2022, 11:50 AMThen I would need to query for the existence for can act as as well?
clever-shoe-40931
01/10/2022, 11:50 AMAnd I need to do that recursively
s
steep-lamp-91158
01/10/2022, 11:50 AM
no, have a look at https://www.ory.sh/keto/docs/concepts/graph-of-relations
10 Views