New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Referencing permissions #6226
Comments
In a simpler version a permission like It could just internally expand the permission to |
We're running into a similar issue at my company - there's lots of access transitivity in our schema (e.g. "if you have access to the parent table, you should have access to the child table" and vice versa) that results in a lot of heavily nested/redundant access control configuration on the Hasura side of things. It does seem to cause performance issues in our case - queries that are super simple/fast as admin slow to a crawl as a non-admin user because of the additional access control logic. We were thinking about ways to refactor our schema quite a bit to mitigate some of these issues, but ultimately something like @afitzek's proposal would be incredibly useful for us IIUC. |
Came to this via #6591. I've also got a lot of transitive tables. A -> B -> C -> D etc and I'd like to go into D and create a rule like currently this is done with a lot of copy/pasting duplicated code. I'm on a solo developer project right now so this is easy to for me to model in my head but if i were running a team I'd be terrified of some dev missing something with all this duplication. |
I hope the format of my posting here is correct, if not please let me know and I can adopt it.
It would be really nice to be able to create "referencing permissions" (not sure if this a good term for this ;)) for resources in a database.
In many models one encounters resources, that share access permissions. For example let's say we have a database model, where we store users which will have access to objects and these objects can have tags.
So we would have the following tables (just pseudo code):
In my permission model, a user should be able to read all tags, of objects that belong to him.
Currently I would create permissions for the
user
table:For the
object
table (I know in this simple example I could reference the USER_ID directly, but that is not the point, imagine an orgs structure, with teams between users and object):For the
tags
table:As one can see we are duplicating the rules.
For a very complex system, this becomes really hard to manage.
It would be really nice to be able to write something like this (there are probably much better ways to express this, but I hope the idea comes across):
The user permission:
The object permission:
The tag permission:
One could reference access to other tables, basically.
If this is possible, there is probably also a way to increase the performance of the generated SQL queries, because at that point, one does not have to duplicate permissions in the query?
Here is an example query that hasura 1.3.3 generated for the above model:
I have not fully thought it through, but I think this could be optimized to a simple outer join of the tags, if it is known, that the permission of the tags reference the objects permission.
Let me know if this makes any sense. :)
The text was updated successfully, but these errors were encountered: