Ory is the largest open source community in the world for cloud software application security. We maintain advanced open source security software solving authentication, authorization, access control, application network security, and delegation. Ory implements a variety of industry and best-practice standards including OAuth 2.0 / OAuth 2.1, OpenID Connect, Zero Trust Networking, Google Zanzibar Policy Framework, FIDO2 U2F, WebAuthn, TOTP, and more.

Ory Community

Hi everyone,

I am currently using v0.6, and I guess there are no wildcards in v0.6.
I would like to utilize a wildcard for the following scenario:
• The app consists of multiple domain-related objects (let's say text files).
• You need `read` `write` `delete` or `update` policies for particular operations on the docs. For ex, in order to delete a doc called `temp_doc.txt`, you need `temp_doc.txt#delete@&lt;user_id&gt;`.
• Also, the admin should do all of these operations like `*#*@(members:admin#member` which implies that the admin can do `any` action on `any` object.
• So that, if the admin wants to read this `temp_doc.txt`, `temp_doc.txt#read@&lt;admin_id&gt;` should return true. 
However, I couldn't find a way to design this system. Does anyone have experience of Keto usage similar to this? 
Thanks in advance!

So what you called wildecard will be subject set rewrites: <https://github.com/ory/keto/issues/263>
Currently you can workaround that by adding for each permission a tuple like `temp_doc.txt#delete@(admin#member)`  which is not ideal, but that's why it is called "workaround"
an admin is then added as `admin#member@&lt;some-id&gt;`