Hey! My (platform) team is aiming to provide a saas solution for group based authorization to our developers. Im wondering if somebody here already faced something similar. The main idea is to provide granular auth for this example: • Users in user-group 'group-name' are allowed to perform action 'delete /accounts/{id}' for accounts belonging to entity-set 'entity-set-name'. This article shows quite well what we are aiming for: https://build.diligent.com/fast-authorization-with-dynamodb-cd1f133437e3 Wondering if we can build it (thinking about apigw, custom lamba auth and dynamodb) or can leverage an exisiting solution(didnt find it). What do you think?

https://www.openpolicyagent.org/#application Would something like Open Policy Agent meet your goals?

Let me check! Thanks!!

OSO?

Hey @Anthony Critelli, i checked your proposal and seems to be available as a package for your app. Our setup requires a solution to work without including anything inside the app. Usually we have an apigateway that forwards request to a lambda and we need this extra thing between both to do custom auth based on groups. I think your proposal doesnt cover that, right?

@Eduard Bargues So you need a service between the API Gateway and the end service to mediate authorization? If that's the case, then OPA might not be the right fit. I think in this case you would either extend your app to use OPA, or write a service in between them to mediate the authorization.

If you prefer a centralised service approach, then Zanzibar (Google’s own implementation, oss implementations: Ory Keto, SpiceDB) is pretty neat. The key thing to scale it is how well the implementation handles the cache of the DAG schema and config. As per our internal study, SpiceDB is the most mature. But since it’s a paradigm shift, I suggest to read the paper first (https://research.google/pubs/pub48190/).

I think the customAuthLambda solution is gaining momentum guys. Seems to be the best solution in terms of operation costs (people involved + infra)