Is there a best practice as to checking for author...
# help
Is there a best practice as to checking for authorization on a non-specific resource? I.e. "can this user list products?" as far as I can see, the resource ID is mandatory in the /check call and the SDKs
Is it as simple as just sending "ALL" (or any other arbitrary value) as the ID?
This field can be anything unless a policy has a rule for a particular resource ID.
I implemented something akin to this by making the access a resource in itself. In our case, we're multitenant with a ton of possible ways a user can access parts of the admin section. We simply created an "Admin" resource and calculated the permissions based on the user's roles and owned entities. For an ID, we always just use
This basically lets a subset of users get past our admin middleware, and we then do more specific checks on the resources they are able to view/mutate
Alright, got it! Sounds like a good approach; I was considering the asterisk but was unsure if it was reserved. Nice to know. Thanks for the feedback 🙂