<div dir="ltr">Thanks Alex & Andres!<div><br></div><div>Andres also suggested to model a "todo_list" type / singleton instance, which has the roles modeled as relationships (admin, evil_genius, editor). The can_read_todos and can_create_todos permissions payloads can use the <font face="monospace">"resource": { "type": "todo_list", "id": "todo-list-1" } </font>as the resource context, which makes sense to me.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 8, 2024 at 10:56 AM Andres Aguiar <<a href="mailto:andres.aguiar@okta.com">andres.aguiar@okta.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><br></div>FWIW, for some ReBAC implementations, sending the OwnerID in the context would work too.<div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Mon, Jul 8, 2024 at 2:13 PM Alex Babeanu via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><strong>This message originated outside your organization.</strong></p><br>
<hr><br>
</div><div dir="ltr">Hello there,<div><br><div><a class="gmail_plusreply" id="m_2607686244640638304m_8120527687129596759m_3435333613529489265plusReplyChip-0" href="mailto:omri@aserto.com" target="_blank">@Omri Gazitt</a> and all, the simplest solution for this is to send the same todo ID to the PDP on every request. Graph-based system can just use 1 single Node representing all possible TODOs, you're really authorizing the action only in this use-case. This singular ID can be ignored by Policy-as-code systems. It's the approach we used for 3Edges in the 1st interop.</div><div><br></div><div>So We don't need to store data, no need for events or APIs . This is what the data looks like in 3Edges:<br></div><div><img src="cid:ii_lyd8oulv0" alt="image.png" width="562" height="412"><br></div><div><br></div><div>Bottom line, let's call this singular todo `todo1` or something, and always pass that single value (I can just change the current Node ID I have "TodoApp" to use whatever you guys prefer).</div><div><br></div><div>Cheers,</div><div><br></div><div>./\.</div><div><br></div><div><br></div></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sun, Jul 7, 2024 at 5:16 PM eve--- via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>Hey Omri, thanks for all this. I’ll be on the road — Beryl willing — and can’t attend this coming week’s call. No comments on the new Evaluations section at this time, but here are quick thoughts fwtw on your Todo evolution writeup.<div><br></div><div>Dynamic resources need to be catered for. A reliance on too-static resource URLs or IDs will not be sustainable for a lot of APIs needing protection. With SSF now in the picture, your idea to use it to help manage resource lifecycles is intriguing. We need a method that's lightweight and asynchronous from the tasks of policy decision making. Maybe such a solution could be an SSF profile that is optionally combinable with AuthZEN usage but on which the latter has no deep dependency.</div><div><div>
<div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="auto" style="font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none;color:rgb(0,0,0)"><div dir="auto" style="color:rgb(0,0,0);font-family:Helvetica;font-size:12px;font-style:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div dir="auto" style="color:rgb(0,0,0);letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;text-decoration:none"><div><br>Eve Maler | cell and Signal <a href="tel:+1-425-345-6756" target="_blank">+1 (425) 345-6756</a><br>Visit the <a href="https://urldefense.com/v3/__http://vennfactory.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwF4a7hYEA$" target="_blank">Venn Factory</a><br>Request a <a href="https://urldefense.com/v3/__https://fantastical.app/eve/15__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFwiN4EdQ$" target="_blank">15-minute consultation</a></div></div></div></div></div></div></div>
</div>
<div><br><blockquote type="cite"><div>On Jul 7, 2024, at 4:51 PM, Omri Gazitt via Openid-specs-authzen <<a href="mailto:openid-specs-authzen@lists.openid.net" target="_blank">openid-specs-authzen@lists.openid.net</a>> wrote:</div><br><div><div dir="ltr">Hi folks! Hope everyone had a good weekend (and for US folks, a good holiday weekend).<div><br></div><div>I took two action items in last week's call:</div><div><ol><li>Create an AuthZEN 1.1 spec with the /access/v1/evaluations section. This is now merged and <a href="https://urldefense.com/v3/__https://openid.github.io/authzen/authorization-api-1_1__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwGTs-4mVA$" target="_blank">published</a>!</li><li>Update the Todo backend and make it compliant with the new AuthZEN 1.0 spec, and specifically the resource ID field being mandatory.<br></li></ol></div><div>On #2, I ran into a significant design issue that I believe is worth discussing on Tuesday's call. Please read this background <a href="https://urldefense.com/v3/__https://hackmd.io/rOm3BA4qSGmX477UXRNUuw?view__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwGG6Gu17Q$" target="_blank">document</a> so that we can dedicate some time on the agenda to picking a way forward.<br></div><div><br></div><div>Thanks,</div><div>Omri.<br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><table style="color:rgb(34,34,34);font-family:tahoma,sans-serif;border:none;border-collapse:collapse"><tbody><tr style="height:0pt"><td style="vertical-align:top;padding:5pt;overflow:hidden"><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><a href="https://urldefense.com/v3/__http://www.aserto.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFpuXwEuw$" target="_blank"><img src="https://raw.githubusercontent.com/aserto-dev/artwork/main/logo/horizontal/color/aserto-horizontal-color.png" width="96" height="35"></a></div></td><td style="vertical-align:middle;padding:5pt;overflow:hidden"><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-family:Roboto,sans-serif;background-color:transparent;font-weight:700;vertical-align:baseline;white-space:pre-wrap"><span style="font-size:10pt">Omri Gazitt</span><span style="font-weight:normal"><span style="font-family:Arial;background-color:transparent;vertical-align:baseline"><span style="white-space:pre-wrap"> </span></span></span><span style="font-size:10pt">| </span></span><span style="background-color:transparent;font-family:Roboto,sans-serif;font-size:10pt;white-space:pre-wrap">CEO</span></div><div style="line-height:1.2;margin-top:0pt;margin-bottom:0pt"><span style="font-size:10pt;font-family:Roboto,sans-serif;background-color:transparent;vertical-align:baseline;white-space:pre-wrap"><a href="https://urldefense.com/v3/__http://www.aserto.com/__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFpuXwEuw$" target="_blank">Aserto</a> Inc.</span><span style="background-color:transparent;font-family:Arial;vertical-align:baseline"><span style="white-space:pre-wrap"> </span></span><span style="font-family:Roboto,sans-serif;font-weight:700;white-space:pre-wrap;font-size:10pt">| </span><span style="background-color:transparent;font-family:Roboto,sans-serif;font-size:10pt;white-space:pre-wrap">(425) 765-0079</span></div></td></tr></tbody></table></div></div></div></div>
-- <br>Openid-specs-authzen mailing list<br><a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br><a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFKAvs5_g$" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><br></div></blockquote></div><br></div></div>-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://urldefense.com/v3/__https://lists.openid.net/mailman/listinfo/openid-specs-authzen__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFKAvs5_g$" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><br>
</blockquote></div><br clear="all"><div><br></div><span class="gmail_signature_prefix">-- </span><br><div dir="ltr" class="gmail_signature"><div dir="ltr"><a href="https://urldefense.com/v3/__https://hihello.me/p/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5__;!!PwKahg!66ljWFYeUAo8Pcc3ZTv79FMnMiNW6JiwHvIjiQz7ilTL6gCb5AUAXuO5kSm06ETN6tVMbEvOjnbQ0_GBPyoAmwJxvwFsoaPabQ$" rel="noopener" style="display:inline-block" target="_blank"><img alt="This is Alexandre Babeanu's card. Their email is alex@3edges.com. Their phone number is +1 604 728 8130." src="https://cdn.hihello.me/cards/cda689b1-0378-4b9c-88cf-33a9bc8ef0c5/signature_logo.png?generated=1653502150176" width="360" style="display: inline-block; min-height: 100px;"></a><br></div></div>
<br>
CONFIDENTIALITY NOTICE: This e-mail message, including any attachments hereto, is for the sole use of the intended recipient(s) and may contain confidential and/or proprietary information.<br>
-- <br>
Openid-specs-authzen mailing list<br>
<a href="mailto:Openid-specs-authzen@lists.openid.net" target="_blank">Openid-specs-authzen@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-authzen" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-authzen</a><br>
</blockquote></div>
</blockquote></div>