top | item 41342152

(no title)

m3h | 1 year ago

How does an external authorisation service work without the knowledge contained in the application’s database? And vice versa, how does the application make the efficient correct queries from its database when the authorisation information has been externalised?

discuss

gneray|1 year ago

This is the single-biggest drawback to purely Zanzibar-based architectures. The problem with requiring the authorization system to own all authorization data is that there’s really very little pure authorization data in any application. The majority of it is just application data that is sometimes used to make authorization decisions.

Here's a technical post that details these implications in practice: https://www.osohq.com/post/authorization-for-the-rest-of-us

And another post that describes an alternative approach, Oso: https://www.osohq.com/post/local-authorization

(Shocker: I'm cofounder/CEO of Oso)

EgeAytin|1 year ago

Actually, it also externalizes and centralizes the authorization data, so it won't work without the knowledge contained in the application database that could affect any authorization decision.

Permify provides a Permission Database[0] that unifies the authorization data (as a collection of Access Control Lists - ACLs) in a database of your choice, serving as the single source of truth for all authorization queries and requests via the Permify API.

[0]: https://docs.permify.co/getting-started/sync-data

rzzzt|1 year ago

Let's say I want to use the model outlined in the "File Storage" example. I set up and populate my permission DB accordingly with file permissions, organization and group assignments, etc. I also have an index filled with metadata related to the files that users have uploaded to my service and not just one, but two 500 GB laptop hard drives dedicated to file storage.

User "A" comes along and searches for files matching "ragtime". I can ask the permission DB to return the ID of 1499 files "A" has (directly or indirectly) access to, and also run a free-text search to return cca. 195700 files with a title, description or indexed content that matches "ragtime". But what happens next? Can I return an accurate search hit count or filtered result set to the user from his limited access-point of view? Do I need to move metadata into the permission database to do so?