One potential solution: https://github.com/cerbos/cerbos. It's a standalone service (deployed alongside your app) which evaluates access decisions at runtime against contextual/arbitrary data on the principal and resources.
In your case, your resource could be a "record" for more global yes/no decisions, or perhaps as a "field" for more granular cases. Things like "can only get last 4 digits of phone number" could be achieved through attribute-based conditions set within the policies.
> I really liked the policy approach of IAM so my plan was to let data owners define policies that are then applied to users, groups, and roles
An advantage of Cerbos is that policies are defined and deployed separately from business logic in (yaml/json) config files, so no changes are required in code when policies need updating.
> At run time our coordinator engine will check levels of access to each query
Can't wrap my head around this particular part - is this checking if an entity can or cannot run a particular query, or specifically based on the "things" the query is returning?
(as a disclaimer I should mention that I work there, although Cerbos itself is Apache 2 licensed and completely free to use)
In your case, your resource could be a "record" for more global yes/no decisions, or perhaps as a "field" for more granular cases. Things like "can only get last 4 digits of phone number" could be achieved through attribute-based conditions set within the policies.
> I really liked the policy approach of IAM so my plan was to let data owners define policies that are then applied to users, groups, and roles
An advantage of Cerbos is that policies are defined and deployed separately from business logic in (yaml/json) config files, so no changes are required in code when policies need updating.
> At run time our coordinator engine will check levels of access to each query
Can't wrap my head around this particular part - is this checking if an entity can or cannot run a particular query, or specifically based on the "things" the query is returning?
(as a disclaimer I should mention that I work there, although Cerbos itself is Apache 2 licensed and completely free to use)