search

osohq / oso

Oso is a batteries-included framework for building authorization in your application.
https://docs.osohq.com
Apache License 2.0
3.45k stars 173 forks source link

ORM model, record, field access control enforcement & policy #610

Open gneray opened 3 years ago

gneray commented 3 years ago

This is an external tracking issue to:

  1. Gauge interest from the community for this feature
  2. Learn about what you'd want to see out of it if we worked on it.

So please:

  1. Upvote the issue if it's important to you, and
  2. Comment with any relevant info on your requirements use cases, etc.

Thanks!

PS We do all our internal engineering issue tracking separately in Notion, so you won't necessarily see regular updates to the project status here even once we begin work.

devmonkey22 commented 3 years ago

I would be curious to see thoughts on field-level access implementations - in my case, using Django Rest Framework and its serializers (to control the fields output on a per user basis). Not sure if it would require subclassing or just a mixin, or some other approach.

I would imagine white-listing all the allowed fields of each serializer across the system may become a challenge. For example, may only want to limit access to certain sensitive fields like Date of Birth, SSN, or other PHI in a case management system. But I don't care or want to define rules for EVERY field in the whole system.

saolsen commented 3 years ago

We've been considering different ways of doing this recently. One would be an allow_field(actor, action, resource, field_name) rule that was built in to the filtering. You could use that to allow someone to view a field or not. With it as a rule you could define a rule for every field in the whole system but I wouldn't want to do that either. Doing it based on a deny list like you sound like you want could just be a single simple polar rule.

allow_field(actor, action, resource, field_name) if field_name not in SENSITIVE_FIELDS);
thaonc97 commented 2 years ago

Any update on this? It would be great if this feature could be implemented.

leina05 commented 2 years ago

Hey @thaonc97!

We have a body of work planned to improve enforcement patterns, which would address this issue. We should be starting work soon, but we'll have a clearer view on timing in the next couple weeks and I can send another update then.

If you'd be up for it, it would be great to learn more about your use case and what's driving your interest in the feature as we get going on the project. If you'd prefer to share privately/in Slack, you can join our community Slack here if you haven't already: https://join-slack.osohq.com/. Feel free to DM me (@Leina) there!