[Openid-specs-authzen] Partial Evaluation meeting running as we speak

Michiel Trimpe Michiel.Trimpe at VNG.NL
Thu Apr 10 17:24:48 UTC 2025


Hi all,

The UCAST project doesn't have a serialization format; but I did some looking after the call and Styra does define the JSON format they use to serialize UCAST here: https://docs.styra.com/apps/data/reference/ucast-syntax

Cheers, Michiel
________________________________
From: Openid-specs-authzen <openid-specs-authzen-bounces at lists.openid.net> on behalf of David Brossard via Openid-specs-authzen <openid-specs-authzen at lists.openid.net>
Sent: 10 April 2025 19:10
To: AuthZEN Working Group List <openid-specs-authzen at lists.openid.net>
Cc: David Brossard <david.brossard at gmail.com>
Subject: Re: [Openid-specs-authzen] Partial Evaluation meeting running as we speak

And here are the notes from the meeting:

https://hackmd.io/pSQDKYrPSnuVX4K7rjo8_w?view


Partial Evaluation Cedar Meeting
Attendees

  *   Darin McAdams
  *   Jeff Lombardo
  *   Alex Babeanu
  *   Vladi Berger
  *   David Brossard
  *   Michiel Trimpe

Partial Evaluation in Cedar

  *   Experimental feature for the time being
  *   Some customers are playing with it
  *   By the time customers try it though, they find it too raw and give up
  *   Common use cases
     *   Search: how do you map residual fragments to the relevant query language?
     *   Search: there is a risk you might hit a non-indexed field in the underlying DB
-Hopelessness check: I don't have an entire request and I don't want to incur the cost of retrieving all attributes if I don't have all the information if I know I will get access denied.
     *   Impact analysis
        *   What if I change this policy, how will access be impacted?
     *   Access reviews
        *   What can Alice do? What can manager do?
  *   Cedar already produces a JSON version of its AST that represents a partial evaluation response
     *   https://cedarland.blog/usage/partial-evaluation/content.html
  *   We can compare it with the draft spec

Differences between products

  *   The usefulness and scope of partial evaluation depends on the fact the underlying implementation is stateful or stateless

Ucast

  *   https://github.com/stalniy/ucast
  *   https://github.com/StyraInc/ucast-linq
  *   Integration with Prisma
     *   https://www.npmjs.com/package/@styra/ucast-prisma
     *   https://www.prisma.io/
  *   Challenge
     *   ucast is not a standard
     *   ucast doesn't define a serialization format in the OS project
     *   check with Styra
     *   the last commit is nearly 2 years old

Other formats

  *   https://json-e.js.org/

Reaching out to the new 'product bucket'

  *   If partial evaluation is about data filtering, then the target is data platforms (in a broad sense) such as SQL DB vendors, data platforms (Trino, Immuta, Snowflake), or DB SaaS (Athena, RDS…)



On Thu, Apr 10, 2025 at 9:10 AM Lombardo, Jeff via Openid-specs-authzen <openid-specs-authzen at lists.openid.net<mailto:openid-specs-authzen at lists.openid.net>> wrote:

You can join the meeting for the next hour if possible for you. We will share the recording after the fact.



Meeting title: AuthZEN Partial Evaluation discussion

Personalized ID: 6455908420

Meeting ID: 6455 90 8420

Hosting Region: United States (Ohio)

URL Link: https://chime.aws/6455908420

US dial-in: +1 206-462-5569

US toll-free dial-in: +1 855-552-4463

International dial-in numbers: https://chime.aws/dialinnumbers/



Jean-François “Jeff” Lombardo | Amazon Web Services



Principal Solution Architect, Security Specialist - Montréal, Canada

Mobile: 514.778.5565



Thoughts on our interaction? Provide feedback here<https://urldefense.com/v3/__https:/feedback.aws.amazon.com/?ea=jeffsec&fn=Jean*20Francois&ln=Lombardo__;JQ!!Pe07N362zA!0k9CkAV8Djpw_8EfIAKrbhP3TQrJr0oMnznlUgBJ3V3NoEk6hihx7dNHnQuejn6SSH2CP8Iow3G-tTzppHeg$>.



--
Openid-specs-authzen mailing list
Openid-specs-authzen at lists.openid.net<mailto:Openid-specs-authzen at lists.openid.net>
https://lists.openid.net/mailman/listinfo/openid-specs-authzen


--
---
David Brossard
http://www.linkedin.com/in/davidbrossard
http://twitter.com/davidjbrossard
http://about.me/brossard
---
Stay safe on the Internet: IC3 Prevention Tips<https://www.capefearnetworks.com/wp-content/uploads/2017/05/Internet-Fraud-Prevention-Tips-IC3.pdf>
Prenez vos précautions sur Internet: https://cyber.gouv.fr/bonnes-pratiques-protegez-vous
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-authzen/attachments/20250410/85eb61ca/attachment-0001.htm>


More information about the Openid-specs-authzen mailing list