search

hasura / graphql-engine

Blazing fast, instant realtime GraphQL APIs on your DB with fine grained access control, also trigger webhooks on database events.
https://hasura.io
Apache License 2.0
31.18k stars 2.77k forks source link

Better entitlement framework in V3 #10253

Open manasag opened 6 months ago

manasag commented 6 months ago

Currently, Hasura uses role based access control, where you define the entire set of permissions per-role. However, this doesn't scale well because:

It's not always possible to capture all possible states in the authorization system as separate roles. It's not possible to reuse permissions (allowed fields, model predicate) across roles. For complicated permissions, it's hard to verify the correctness of a model's permissions predicate at a glance.

RFC on the proposal can be followed here https://github.com/hasura/graphql-engine/pull/10237

V2 Issues that can be addressed by this proposal:

rahulagarwal13 commented 4 months ago

Related GH Issue - https://github.com/hasura/graphql-engine/issues/10310