Dynamic Permissions

[KiltzX]

Is there an existing issue for this?

• I have searched the existing issues

Feature description

I want to know if there is a way to add permissions dynamically, for example, I would like to configure my application so that the user with id 10 does not have permission to such a resource, and that this would be added within the policies, but then instead of only the user with id 10, but also the user with id 12, and at some point remove the user with id 10

What would the ideal solution look like to you?

No response

Anything else?

No response

[charithe]

It sounds like you're trying to implement an access control list (ACL). One way to do that is to store the mapping of resource to users in your own database. Databases are optimized for set membership checks over very large sets so you can do that preliminary check first and make the result an attribute of the principal (e.g. is_in_acl). It would then become one of the conditions in your Cerbos policy (P.attr.is_in_acl == true) and you can combine that with the other context-sensitive security rules you need in addition to the simple ACL membership check (e.g. is the request being made from a trusted IP range during office hours).