Search API - Effect of Deny on result set

[identitymonk]

The Draft -03 introduces Subject search with the example:

{
  "subject": {
    "type": "user"
  },
  "action": {
    "name": "can_read",
  },
  "resource": {
    "type": "account",
    "id": "123"
  },
  "context": {
    "time": "2024-10-26T01:22-07:00"
  }
}

The specification needs to more prescriptive on the edge cases that includes Denies. Let's imagine the following policy store content (we used a non standardized policy format for the sake of the example here):

{
  "effect": "Allow",
  "subject": {
    "type": "user",
    "id": "Alice"
  },
  "action": {
    "name": "can_read",
  },
  "resource": {
    "type": "account",
    "id": "123"
  },
  "conditions": {
    "time": {
        "operator": ">",
        "value": "2024-10-26T00:00-07:00"
     },
     "time": {
        "operator": "<",
        "value": "2024-10-27T00:00-07:00"
     }
  }
},
{
  "effect": "Allow",
  "subject": {
    "type": "user",
    "id": "Bob"
  },
  "action": {
    "name": "can_read",
  },
  "resource": {
    "type": "account",
    "id": "123"
  },
  "conditions": {
    "time": {
        "operator": ">",
        "value": "2024-10-26T00:00-07:00"
     },
     "time": {
        "operator": "<",
        "value": "2024-10-27T00:00-07:00"
     }
  }
},
{
  "effect": "Deny",
  "subject": {
    "type": "user",
    "id": "Bob"
  },
  "action": {
    "name": "*",
  },
  "resource": {
    "type": "*"
  },
  "conditions": {}
},

• what should be the result set returned in this case? Only the policy about Alice? All the policies?

[davidjbrossard]

Jeff's suggestion: "The result of the evaluation is dependent on the underlying implementation". The list of identifiers (in this case subject identifiers) would contain the identifiers of the users for which, if an authZ request had been sent, the response would have decision: true.

[ogazitt]

I agree with that formulation for pretty much all the edge cases that have been presented.

[davidjbrossard]

I'm happy to add it as a PR on draft 4. Does that work for you @ogazitt ?

[ogazitt]

I'm actually trying to resolve a few of @identitymonk's recent issues with one PR, where we agreed on verbiage.

Here is what we agreed on, applied to the subject search. I will repurpose for resource and action search sections as well.

Subject search semantics

While the evaluation of a search is implementation-specific, it is expected that any returned results that are then fed into an evaluation call MUST result in a decision: true response.

In addition, it is RECOMMENDED that a subject search is performed transitively, traversing intermediate attributes and/or relationships. For example, if the members of group G are designated as viewers on a document D, then a search for all users that are viewers of document D will include all the members of group G.

[ogazitt]

PR #292 resolves this issue.