-
Notifications
You must be signed in to change notification settings - Fork 144
Compound authorization #2123
Copy link
Copy link
Open
Labels
feature-requestThis issue requets a substantial new featureThis issue requets a substantial new featurepending-triageThe cedar maintainers haven't looked at this yet. Automicaly added to all new issues.The cedar maintainers haven't looked at this yet. Automicaly added to all new issues.
Description
Metadata
Metadata
Assignees
Labels
feature-requestThis issue requets a substantial new featureThis issue requets a substantial new featurepending-triageThe cedar maintainers haven't looked at this yet. Automicaly added to all new issues.The cedar maintainers haven't looked at this yet. Automicaly added to all new issues.
Category
User level API features/changes
Describe the feature you'd like to request
Sometimes, the application needs to make sure that the principal has multiple permissions on an object or a set of resources, before a certain operation is allowed. This can be done today through multiple independent Cedar authorization checks, but from time to time, users have raised discussion on what it would look like for Cedar to support something with regards to that natively.
Alex on the Cedar Slack and in this blog post brought this up most recently, and mentioned that other projects like SpiceDB support the
alloperator, which in Alex' example could be modelled e.g. aswhich means that a principal can only
viewReportif they have theviewReportMetadatapermission and theviewDatasetpermission on all source datasets of the report.It would be interesting to see how Cedar would tackle something like this, even if using some "non-core" or higher-level library doing most of it.
Creating this tracking issue mostly in order to track the interest in this kind of feature.
Describe alternatives you've considered
Require consumers to implement this themselves.
Additional context
No response
Is this something that you'd be interested in working on?