I would like to know if I can use the Ory suite to do what I want ?
This is the model that I would like to implement
From my API gateway I can send the identity, the scope (group) and the operation.
Instead of the operation, I guess I can send the needed permission.
In Ory Keto, I can have a policy with the user, an action (permission?) and a ressource (scope?)
Si it seems to match, but in my model I would like to bind the identity to a role and not directly to the permissions.
How to achieve this with Ory ?
- There is 2 roles « manager » and « reader « and these roles have a common permission « data:read ».
- The operation « Get data’s » needs the « data:read » permission.
- UserA had the role « manager » on the scope « tenant1 ».
The userA calls Get data’s in the tenant1 scope.
I would like to know if this user had the right to do that.
And as a bonus, if Ory can generate a new access token with custom claims based on the result, it will be perfect !