Permission Checker plans

tom · August 19, 2022, 3:58am

Hello, where can I learn more about the up-coming Permission Checker functionality?

tjerman · August 19, 2022, 6:16am

Where are you getting all of these from
Internal “for development” resources are (for now) kept privately. As with the other one, I’ll consider opening up a forum thread for discussion and such.
Do you want to know what it is in general or something specific?

tom · August 19, 2022, 1:18pm

Ya, who is this tom nut anyway Im trying to size up Corteza for a project and also for some internal tooling. Part of this is looking at the roadmap to check out the trajectory which also informs be a few things are important to be are not quite there yet.

https://cortezaproject.org/roadmap/

In one of the applications, all of the data is ours, but we do want customers to be able to be able to view data and workflows relevant to them which includes checking if the user is a member of an org/account and if that org has the authorizations. We also want to be able provide some self-service customer profile, account history, payments, etc. Our multi-tenancy needs are more of an ABAC concern than an isolated compute concern, kind of like the Salesforce model.

We do not have to build our customer portal on Corteza to use Corteza built APIs in the background. I’m just trying to figure it out.

I really like permit.io’s approach to leveraging OPA but providing a great UX that does not require writing rego policy (but one can if needed).

tjerman · August 22, 2022, 2:42pm

The permission checker rework will be done in two phases; the first one (already done) improves the UX of the current permission configuration interfaces by providing a feature to evaluate the resulting access permission for specific users/roles.

The second one (which will be done at a later point (most likely) during 2022.9 lifetime) provides a complete overview of all resources, permission rules, and roles … to simplify access control configuration. This will probably be a separate webapp or a page on the admin webapp with a big table/matrix/tree/something.

From your other blog posts, this sounds like quite a big project. If you wish, you can write down some more context about what you’re trying to build so we can help you determine if Corteza is a good fit or not

tom · August 26, 2022, 3:24am

Does phase 1 support evaluating attributes such as an organization or account identifier?

tjerman · August 26, 2022, 10:22am

Depends on what you mean by that; if you’re referring to the SalesForce-like org/account, then no – we don’t have those, nor are we planning on adding them (for now).
You can model them by defining custom modules, but we don’t have them supported natively.

This rework isn’t changing how the internals works; it improves the UX when working with access control.

Take a look over here and here (section of the previous link).

tom · August 26, 2022, 9:37pm

Couldn’t the contextual role be used for a SalesForce-like tenancy model if the expression could evaluate a resource attribute?

tjerman · August 29, 2022, 6:08am

It could be used like that, yes