Add support for Entitlement-based Authorization #10310
Labels
a/authz
Issues related to "authorization" and the policy engine after session claims are procesed
c/v3-engine
V3 Metadata and Engine
k/enhancement
New feature or improve an existing feature
Component
c/v3-engine
Is your proposal related to a problem?
No
Describe the solution you'd like
Entitlement-based authorization would allow for more granular access control based on specific attributes of the data being accessed. Currently, if Hasura receives a request for an attribute the requestor does have access to, the query will not execute and an error is returned. Entitlements would allow for this query to execute, but only return the data that the requestor has access to. Attributes the requestor does not have access to will be blank (empty string or null, etc.) For example, if I have a User object with this shape:
With this Entitlements configuration:
default
entitlement has access toname
,email
propertiessalary
entitlement has access to everythingdefault
has access to, plussalary
location
entitlement has access to everythingdefault
has access to, pluslocation
As the requestor, if I have the
default
entitlement and make a request for the fullEmployee
object, I will see the following:If I have the
salary
andlocation
entitlements, I will see:if I have an
admin
entitlement, I have access to all attributesDescribe alternatives you've considered
None. Current Authorization rules do no provide this.
The text was updated successfully, but these errors were encountered: