idlefeature

I've been evaluating OpenFGA for relationship-based access control (ReBAC) and I believe I've identified a significant limitation: *OpenFGA does not support multi-level indirect relationship evaluation beyond one level of indirection*.

## Example Scenario: Management Chain Authorization

Imagine a scenario where permissions should propagate up a management chain:

1. *Object A* is *owned* by *User B*. 2. *User B* is *managed* by *User C*. 3. *User C* is *managed* by *User D*.

### What OpenFGA Can Handle

If I define an authorization rule like:

``` allow manager from owner ```

Then *User C* inherits access to *Object A* because:

> "User C manages User B, who owns Object A."

### What OpenFGA Cannot Handle

OpenFGA does not allow further relationship chaining:

> "User D should be able to view Object A, because User D manages User C, who manages User B, who owns Object A."

This limitation exists because OpenFGA does not allow the `from` clause (also called a tupleset) to reference another relation. The documentation explicitly states that OpenFGA will *throw an error* if an authorization model attempts this kind of multi-level evaluation:

- ["Referencing Relations on Related Objects"](https://openfga.dev/docs/configuration-language#referencing-relations-on-related-objects) - ["Modeling Parent-Child Relationships"](https://openfga.dev/docs/modeling/parent-child#05-check-if-bob-is-an-editor-of-documentmeeting_notesdoc)

## My Questions for HN:

1. *Have I correctly understood this limitation of OpenFGA?* 2. *Are there any authorization frameworks/tools that do support recursive evaluation of indirect relationships?*

Would love to hear if anyone has encountered and solved this issue, or if OpenFGA's approach is just a fundamental design tradeoff in this space. Thanks!

I'm a software engineer with 3 years of experience, about help a fellow SE with 7 YOE do some technical interviews to find an SE with ~3-5 YOE.

Neither of us enjoy interviewing and, like most other SEs, we think that the "standard" tech/dev interview process–with its focus on whiteboard-style coding challenges–is a poor predictor of who will make a good SE on the job.

We'd like to find a colleague who's a good cultural fit (not an asshole, takes initiative, admits mistakes, attention to detail, etc.), and who's a competent problem-solver when it comes to backend software development in Java.

So, I'm looking for input, recommendations, etc. on how to make SE interviews better. Questions to ask/avoid? Helpful blogs, books, or podcasts on the topic?

(Yes, I know there's plenty out there on this topic. I'm doing my own research, but also figured I could crowdsource this one to HN and benefit from your collective wisdom!)

As a software engineer and voracious reader (ahem, or at least buyer) of books, I'm trying to follow Gergely Orosz's advice in [The Software Engineer's Guidebook](https://www.engguidebook.com/) to get a good reference book for the main languages I work in.

For Java (90% of my daily work), I just ordered [Java: The Complete Reference, 13th Edition](https://www.oreilly.com/library/view/java-the-complete/9781265062705/). For JavaScript (5%), I've got [JavaScript: The Definitive Guide, 7th Edition](https://www.oreilly.com/library/view/javascript-the-definitive/9781491952016/), and it's proven helpful in the past.

I'd like to purchase a similar reference work for Python (5% and growing), but I'm having a hard time choosing between Fluent Python, Python in a Nutshell, Introduction to Python, or something else! Any recommendations?

(Also interested in good reference book recommendations for other languages!)

I'm working on a firewall for our SCIM server. Our SCIM clients are various identity providers (Azure Active Directory, Okta, etc.). We've created IP allow lists based on the lists of IP addresses published by these identity providers, but the lists can and do change.

If we want to stick with an allow list-focused approach, what's the best way to keep our IP lists up to date? Are there notifications out there that we can subscribe to (I'm searching for these)? Is it better to just periodically fetch the lists and update our firewall? Is it better to not rely so heavily on an allow list and instead focus the firewall on something else?

Any help/advice/pointers would be appreciated. I'm new to firewall configuration and maintenance. I'm reaching out to the identity providers, but also want to learn more about best practices. Thanks!

TL;DR: Have you built a SCIM server/API? If so, did you do so from scratch, or did you use a tool/library? Which would you recommend? Anything a new-ish dev should know while building a SCIM server?

I'm trying to build a SCIM (https://www.simplecloud.info/) server to handle user provisioning from various Identity Providers (IdPs; Azure AD, Okta, Workday, etc.) into our application.

I've familiarized myself with the SCIM spec (RFC 7642, 7643, and 7644). But, as a relatively new developer, I'm still on the fence about whether (1) to build our SCIM server/API from scratch (in Java) or (2) to use a third-party tool/library.

Right now, I've got my eye on Apache Directory SCIMple as a possible tool to use. But (1) it's not on Maven Central yet and (2) it requires Java 17+ to build (and also for its spring-boot module), which might be a problem for us.

Maybe I just need to dive-in and start putting something together without relying on a third-party SCIM tool to do so. But I'll admit that, again, as a new-ish dev, I still have the gut reaction that "surely the stuff that other people have built is going to be better than what I can put together"!