Is your feature request related to a problem? Please describe.
Currently Warrant only supports wildcards in the objectId
of a warrant. This makes it possible to specify rules on all objects of a particular type. For example, the rule user:A is editor of all reports
can be specified via the warrant:
{
"objectType": "report",
"objectId": "*",
"relation": "editor",
"subject": {
"objectType": "user",
"objectId": "A"
}
}
This is useful because it allows developers to specify coarse-grained rules for specific users or groups when/where necessary, making it easier to manage the set of warrants in certain scenario. For example, being a member of the admin role should grant a user editor privileges on all documents. With a single wildcard warrant, we don't need to add a new warrant every time a new document is created.
However, if we instead want similar functionality flowing in the opposite direction (e.g. *any* user is viewer of document:A
), it is currently not possible to easily model via a warrant. To support this sort of functionality, we should add wildcard support in the warrant subject. The warrant fulfilling our example scenario would be:
{
"objectType": "document",
"objectId": "A",
"relation": "viewer",
"subject": {
"objectType": "user",
"objectId": "*"
}
}
Describe the solution you'd like
Warrants should support the wildcard character as part of their subject.objectId
parameter. A wildcard subject.objectId
should specify that any subject of the type subject.objectType
can match the warrant.
Describe alternatives you've considered
N/A
Additional context
Consider whether a warrant should be allowed to have a wildcard for both its objectId
and its subject.objectId
.