Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hello again :slightly_smiling_face:
I'm working on the access control for some object storage. Since there could be millions, if not billions of object in the storage, I can't possibly represent them all in Keto. But I still want to be able to define rights at the object granularity. So the solution that I found was to only store in keto the rights to objects that do not have the default rights, and rely on more global permissions (eg. bucket). However the only way that I found to do that would be to check access multiple times, starting with the more global ACLs and working my way down to more specific permissions. So for example if I have to check the read right for a specific object, I would have the following checks to do :
```// z is parent of y which is parent of x
storage:z#read@user // if allowed, stop here, else continue
bucket:y#read@user  // same
object:x#read@user  // if still not allowed here, then the user is not allowed on this object ```
I find that this is quite inefficient with the calls, as it creates quite a lot of calls for a single object. Is there a way to optimize it by doing a _bulk check_ that would return as soon as there is 1 allowed ? Or maybe I'm missing something else ?

I think I found a related issue <https://github.com/ory/keto/issues/689>