Type constraints on partial-evaluation unknowns

[cdisselkoen]

Category

User level API features/changes

Describe the feature you'd like to request

It would be nice if partial evaluation could answer questions like, can the principal access any resource of type “Order”. (Or similarly, can any principals of type "Contractor" access a given resource.) Users have been asking for this, e.g., for UX usecases to decide whether to show the user a “list orders” button.

To support this, we would like to support type constraints on partial-evaluation unknowns. Specifically, instead of just leaving resource completely unknown, the API would allow specifying the type of resource but leaving the entity ID, parents, attributes, etc unknown. And likewise for principal. (And probably action, if we wanted to also handle questions like, can the principal perform any action in the Foo namespace on this resource.)

Related to #325, but #325 focuses on type-checking specifically, while this issue is about enabling new kinds of partial-evaluation queries. This issue would hopefully be able to share implementation with #325, although since the motivations are different, it's possible the user experience ends up looking different than it would for #325 alone.

Describe alternatives you've considered

We could contemplate a more powerful and general version of this, allowing more kinds of constraints on unknowns or even arbitrary constraints written as Cedar expressions. For example, "can the principal access any resource in this group". However, this issue was written for type constraints specifically, envisioning that this might be significantly easier (in API design or implementation or both) than the general case.

Additional context

No response

Is this something that you'd be interested in working on?

• 👋 I may be able to implement this feature request
• ⚠️ This feature might incur a breaking change