Plugin Name

rbac-backend

🔖 Feature description

I am using a proxy auth provider (oauth2-proxy to be specific), where I don't have my users loaded into the catalog and use a custom signInResolver. However, I can validate their identity and their ownerships resolution of any groups deemed relevant through my OIDC client's response and custom signInResolver code. I had hoped I would be able to use RBAC and specify policies that used these ownership references and evaluated them "at-runtime".
However, it looks like RBAC does not really take into account any ownership reference that my user object has.

🎤 Context

It is not feasible for me in my organization to populate the org-data in the catalog, however I can build the ownerships at sign-in (as suggested in the docs). This does not seem compatible with the RBAC plugin?

✌️ Possible Implementation

From what I understand, currently the plugin always builds a graph from the catalog and relies on that. Would it be doable to look at the current user's ownership references and base decisions off of that too?
Is there any way I can do with conditional policies or does the plugin always rely on the catalog-based graph?

👀 Have you spent some time to check if this feature request has been raised before?

•  I checked and didn't find similar issue

🏢 Have you read the Code of Conduct?

•  I have read the Code of Conduct

Are you willing to submit PR?

No, I don't have time to work on this right now

Contributed from upstream Backstage Community Plugins repo link: https://github.com/backstage/community-plugins/issues/2077