Open gneray opened 3 years ago
I would be curious to see thoughts on field-level access implementations - in my case, using Django Rest Framework and its serializers (to control the fields output on a per user basis). Not sure if it would require subclassing or just a mixin, or some other approach.
I would imagine white-listing all the allowed fields of each serializer across the system may become a challenge. For example, may only want to limit access to certain sensitive fields like Date of Birth, SSN, or other PHI in a case management system. But I don't care or want to define rules for EVERY field in the whole system.
We've been considering different ways of doing this recently. One would be an allow_field(actor, action, resource, field_name)
rule that was built in to the filtering. You could use that to allow someone to view a field or not.
With it as a rule you could define a rule for every field in the whole system but I wouldn't want to do that either. Doing it based on a deny list like you sound like you want could just be a single simple polar rule.
allow_field(actor, action, resource, field_name) if field_name not in SENSITIVE_FIELDS);
Any update on this? It would be great if this feature could be implemented.
Hey @thaonc97!
We have a body of work planned to improve enforcement patterns, which would address this issue. We should be starting work soon, but we'll have a clearer view on timing in the next couple weeks and I can send another update then.
If you'd be up for it, it would be great to learn more about your use case and what's driving your interest in the feature as we get going on the project. If you'd prefer to share privately/in Slack, you can join our community Slack here if you haven't already: https://join-slack.osohq.com/. Feel free to DM me (@Leina) there!
This is an external tracking issue to:
So please:
Thanks!
PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.