Add "Subject Lookup Query"

tr33 commented 10 months ago

The draft currently defines a Resource Query API to lookup whether a subject can access a specific resource.

There should also be a complementary query to lookup which subjects have access a given resource. Like "_which users (subjects) can read the document 'xyz'_?" (whereas 'user' is a subject of type 'user' and "document 'xyz'" is a resource of type "document" and id 'xyz')

Proposed wording

## Subject Lookup Query

Perform a lookup of all subjects of a particular kind which have permissions to a certain resource. This is the complementary operation of 'Resource Lookup Query'.
Lookup subjects can be used in form of a question like "which subjects of type '_user_' have '_read_' permission on the object of 'document' and 'xyz'?"

mandatory input parameters should be

resource definition (resource type or other criteria)
permission (or relation?)
subject criteria (type definition like "user" or "devices" or whichever type a subject may have)

baboulebou commented 10 months ago

The "Resource Search" and "Subject Search" APIs are already provided and part of the initial draft. Please check the draft again.

ggebel commented 10 months ago

This topic is already included in the draft spec

openid / authzen

Add "Subject Lookup Query" #51