Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for Entitlement-based Authorization #10310

Open
hasura-ericnelson opened this issue Jun 24, 2024 · 0 comments
Open

Add support for Entitlement-based Authorization #10310

hasura-ericnelson opened this issue Jun 24, 2024 · 0 comments
Labels
a/authz Issues related to "authorization" and the policy engine after session claims are procesed c/v3-engine V3 Metadata and Engine k/enhancement New feature or improve an existing feature

Comments

@hasura-ericnelson
Copy link

Component

c/v3-engine

Is your proposal related to a problem?

No

Describe the solution you'd like

Entitlement-based authorization would allow for more granular access control based on specific attributes of the data being accessed. Currently, if Hasura receives a request for an attribute the requestor does have access to, the query will not execute and an error is returned. Entitlements would allow for this query to execute, but only return the data that the requestor has access to. Attributes the requestor does not have access to will be blank (empty string or null, etc.) For example, if I have a User object with this shape:

Employee: {
	name: "john smith",
	email: "jsmith@example.com",
	salary: 100000,
	location: "Chicago, IL",
	lastLogin: 2024-06-24T18:01:46.072Z
}

With this Entitlements configuration:

default entitlement has access to name, email properties

salaryentitlement has access to everything default has access to, plus salary

location entitlement has access to everything default has access to, plus location

As the requestor, if I have the default entitlement and make a request for the full Employee object, I will see the following:

data: {
	name: "john smith",
	email: "jsmith@example.com",
	salary: null,
	location: "",
	lastLogin: null
}

If I have the salary and location entitlements, I will see:

Employee: {
	name: "john smith",
	email: "jsmith@example.com",
	salary: 100000,
	location: "Chicago, IL",
	lastLogin: null
}

if I have an admin entitlement, I have access to all attributes

Describe alternatives you've considered

None. Current Authorization rules do no provide this.
@hasura-ericnelson hasura-ericnelson added the k/enhancement New feature or improve an existing feature label Jun 24, 2024
@rahulagarwal13 rahulagarwal13 mentioned this issue Jun 27, 2024
Open
@manasag manasag added a/authz Issues related to "authorization" and the policy engine after session claims are procesed c/v3-engine V3 Metadata and Engine labels Jul 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
a/authz Issues related to "authorization" and the policy engine after session claims are procesed c/v3-engine V3 Metadata and Engine k/enhancement New feature or improve an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@manasag @hasura-ericnelson