I wanted to implement a multi-tenant RBAC.
- A subject has one or many roles on resources.
- The resources belonged to the tenants.
- A role is a set of permissions.
This is where I had a problem applying the concepts to the Keto ACP.
I thought doing
Subject = Subject or Role
Action = Permission
Resource = tenant
In your model, a role is a set of subjects and not permissions.
So, how to associate a subject with a role on a particular tenant without going down to the permission level in the definition of policies?