Relationship Context based Authorization

[aj90]

Use Case: Doctor accessing patient records.
I have a service that stores patient records and I want to enforce a policy which allows only assigned doctors to access patient records. However, I do not store the relation information between the doctor and the patient. What is the best practice to implement such a policy from the perspective of security and latency?

A) make the relation based evaluation else where and pass the result to OPA to enforce granular access control

• Seems less secure, as you are implicitly trusting the decision made elsewhere

B) Implement a call back mechanism where OPA calls the relationship data store

• Have concerns if such a solution can be generically implemented/ concerns around latency

C) Store a copy of the doctor patient relation in my service as well

• Keeping two data stores in sync near real time is a challenging engineering problem

What does the community here recommend as a best practice?

[anderseknert]

If latency requirements are tough to meet with fetching the data at policy evaluation time, I'd probably go with the first option. AFAICS, there's not really an evaluation/decision happening elsewhere, but simply a mapping of doctors to patients. This type of mapping is of course done all the time in any relational database, or between documents outside of the database in non-relational stores, etc.. so it wouldn't strike me as insecure, granted of course that you'd need to trust the party that issued those claims.

A common way to ensure that type of trust is to have the issuer of claims sign those claims, so that the identity of the issuer may be verified by the recipient (like OPA in this case). The most common use case for this is of course identity, where OAuth2/OIDC servers commonly sign the claims retrieved when a user authenticated, and pass those along in the form of a JWT (most commonly).

As for option C, which I'd say is by far the most common to deploy, the new delta bundle feature should definitely help make that a viable option for more latency sensitive use cases as well.

I'm a bit curious about the example though—the doctor-patient relationship doesn't strike me as one where sub-second latency would be a requirement. Or was that just an example? :)