In the classic XCAML based fine grained authorization ([[fga]]) architecture, the Policy Decision Point or PDP is responsible for deciding weather a subject such as a user is allowed to do an action on a specific resource.
But in many real world architecture this pattern is difficult to apply. Let’s look the following simple example. We want to built an application that shows a simple list of all documents a user has access to.
We could retrieve all documents from the datastore and ask the PDP whether our user has access and only return those. But that has an obvious disadvantage.
The people over at OpenID AuthZen have proposed to a search API. Where instead of searching in our datastore, we search in the PDP directly. Unfortunately this approach makes it difficult or at least impractical to implement filters by the applications such as search by document name.
In this case the PDP would also be responsible for pagination which may not be preferred. Additionally the PDP would have to know about each resource and their relevant attributes. In reality this is something stored in the datastore.
What we really need in practice are policy-based data filters. Where we ask the PDP for a filter under which condition the user is allowed to access a resource. We can then combine this authorization filter with any filer need by the application logic to query the datastore.
Example worked out in
[[opa_data_filter]]