liammoch05/18/2022, 11:02 PM
Will the policy language be built around a fixed set of attributes like time, day ... or would there be a way for an application to define the attributes. - When you say 'user-supplied' attributes, what do you mean? - When are these attributes supplied? - How are these attributes expressed? - Do you plan to support different data types for these attributes? Just wanted to add that I find the Caveats proposal super useful and would greatly help address some of our use cases around time based and location based access.
Allow small fragments of policy to be associated with individual relationships in a new field called “caveats”. As we attempt to evaluate permissions these pieces of policy will be combined and surfaced as immutable caveats that apply to the result sets as they are collected. Before the result is returned to the user, a final policy is assembled and evaluated against user-supplied attributes, and a final decision is made. Because the caveats are immutable and apply to the sub-problem, they can be cached at every level of the decision making process.