Hi all, we are on the process of evaluating different auth authz solutions and have a requirement to support custom business logic that encompasses granular tabel level permissions that will grant access to columns I thought about storing some of this data in Kratos metadata but some users have about 150 entries already. Is this something that Ory can handle?

Hi @quaint-lion-3364. This is what keto is designed to handle. We have completed a POC doing exactly what you are doing but have since moved to incorporating keto as our permissions server. Works really well and has a useful API for integrating with our own app’s user provisioning service.

Hi @nice-beach-55235 thanks for the quick response! I was pretty sure keto was capable of doing this and have not gotten into the weeds with it entirely. Are there some examples you could share?

Well, we really just got into the keto documentation and figured it out, so nothing I can share that goes beyond Ory’s docs. There is a learning curve for sure but we’re enjoying the model. We have a use case where we have multiple tenants and a user may belong to more than one tenant with different role per tenant, so all of that logic we keep on our side and just populate keto with the burst-out fine grained permissions. The keto lookup simply returns a true/false on whether the user has permission to the tenant/resource#verb. We tried initially to model the hierarchy more explicitly in keto but it became unwieldy which is why we burst out the permissions implied by a role assignment on our app side. (and maintain if a user leaves a tenant or changes roles, etc.)

Thanks for this information. Truly appreciate it. I am going to see if I can quickly create my own poc.