Description
What Would You Like to Improve?
While implementing support for conditional policies, we encountered a challenge related to the dynamic nature of policy parameters. Originally, when conditions were defined in code, developers could easily provide dynamic values within the code itself. However, we're now working on a code-less flow, where policy administrators can specify parameter values using a REST API. The issue is that administrators can only provide a predefined set of values, and they cannot input dynamic values, which may limit the effectiveness of certain permission policy parameters.
Example:
Consider the following JSON representing a policy:
{
"result": "CONDITIONAL",
"pluginId": "catalog",
"resourceType": "catalog-entity",
"conditions": {
"rule": "IS_ENTITY_OWNER",
"resourceType": "catalog-entity",
"params": {
"claims": ["user:default/andrienkoaleksandr", "group:default/team-a"]
}
}
}In this example, we've specified claims to allow users to see their own catalogs or catalogs within the "group:default/team-a." Ideally, it would be beneficial if the plugin could provide user entity references for the currently logged-in user, along with a list of their corresponding parent groups.
Current Behavior
Currently, permission administrators can only specify conditional parameter values using the REST API.
New Behavior
We propose the introduction of aliases. Our RBAC backend plugin could support a predefined set of such aliases. When the plugin detects these aliases in the provided parameters, it would automatically replace them with the appropriate dynamic values, enhancing the flexibility and power of permission policy parameters.