Runtime Authorization Rules


#1

Right now authorization rules are static, in other words, I define the rules, deploy, and then a client (user or service account) are then determined as to whether they fall in the role.

It would be great if a rule can be set up that has an expiration time. Let’s say I have a user that I want to temporarily assign them admin role. I could create a rule that says this specific user has admin rights if the date and time falls within a date and time range.

In addition, being able to define a role can be determined by data that is passed in at runtime.


#2

Would it be better to decouple this from the Authorization API as I feel it’s not part of the authorization work. For example, you could start a cron job to remove the authorization rule after some time.

What do you mean about “define a role can be determined by data that is passed in at runtime.”? Could you clarify a little about this use case? Thanks.