Description
The API Builder is very powerful in its current form and has served us very well for our multi-tenancy web app. However, for our project the current implementation of database policies is hindering us, particularly in their lack of complexity and the types of operations they can control. Supported expressions are limited to basic binary and unary operators, restricting the ability to implement more nuanced and dynamic security policies.
Feature Request:
We propose an enhancement to the Azure Data API Builder's policy engine, specifically in the realm of advanced expression support. The following capabilities would address our current project needs and open up new possibilities for complex application scenarios:
-
Support for Complex Join Operations: The ability to create policy expressions that perform more advanced join operations. This would include joining multiple tables or views to evaluate permissions based on a composite of data points across the database.
-
Conditional Logic in Expressions: Enhanced support for conditional logic within policy expressions. This includes the use of IF/THEN/ELSE statements or similar constructs, allowing for more dynamic and context-aware policy decisions.
-
Aggregation and Grouping Functions: The integration of aggregation functions (like SUM, COUNT, etc.) and grouping capabilities within policy expressions to allow permissions to be evaluated based on aggregated data insights.
Use Case:
Our application manages building-specific data in a facility management system and requires granular control over user access based on their specific roles and permissions within each building. For instance, we need to construct policies that can determine user permissions based on a combination of their role, the building they are accessing, and specific actions they are authorized to perform (like editing, viewing, or deleting data related to that building).
Mock policy example we would love if it worked:
{
"action": "delete",
"policy": {
"database": "@item.id in (select building_id from dbo.UserBuilding where user_id eq @claims.UserId and permission_id eq 1)"
}
}
Potential Impact:
Enhancing policy capabilities will greatly benefit applications requiring more sophisticated access control and security models. It will allow developers to implement fine-grained, dynamic permission systems directly within the Azure Data API Builder.
Thank you for considering this feature request.