Workaround for oxidecomputer/omicron#1326 that lets us feel out what an API-level solution would buy us.
Example
For project Access & IAM page, instead of only pulling <...>/projects/:projectId/policy and showing that, we also pull the policy for the org and the silo, and combine them somehow. This is a bit of design challenge because we want to indicate where a given permission came from, and if a given user has entries at multiple levels we need to show that somehow too. This complexity hints at why all this might be better as API logic — the API can use the same logic it uses to actually resolve the permissions when it decides how to aggregate them into a synthetic policy.
Workaround for oxidecomputer/omicron#1326 that lets us feel out what an API-level solution would buy us.
Example
For project Access & IAM page, instead of only pulling
<...>/projects/:projectId/policyand showing that, we also pull the policy for the org and the silo, and combine them somehow. This is a bit of design challenge because we want to indicate where a given permission came from, and if a given user has entries at multiple levels we need to show that somehow too. This complexity hints at why all this might be better as API logic — the API can use the same logic it uses to actually resolve the permissions when it decides how to aggregate them into a synthetic policy.