roryqi opened a new issue, #10404: URL: https://github.com/apache/gravitino/issues/10404
### Describe the proposal Problem Description Currently, Gravitino's authorization system only supports permission checks at the level of an individual user. However, in real-world enterprise deployments, access control is typically managed with user groups (or roles) as the core unit. Many users' identity information (e.g., from LDAP/AD) inherently includes group attributes. Supporting only user-level authorization leads to: Management Overhead: Permissions must be granted individually to each user within a group, making it impossible to achieve efficient "grant once, apply to all group members" management. Mismatch with Operational Practices: Administrators prefer to grant permissions to entities like the "developers group," "analysts group," or "ops group" rather than directly to individual employee accounts. Underutilization of Existing Identity Data: The existing group information from identity sources is not leveraged during authorization. Goal Extend Gravitino's authorization model to support permission evaluation based on a user's group memberships, in addition to the existing user-level model. This will enable more flexible and enterprise-ready unified access control. ### Task list - [ ] -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
