Support for advanced RLS+CLS level security

[daneel3001]

I am working on an application which aim at providing a low code/no code capability to configure both custom entities and relationships but as well custom security policies making it possible to implement both traditional RLS and CLS and ReBAC type filtering.

Example:
The platform provided a default Person entity with a Main Address as relationship to an Address entity.
I would like to set up CRUD rules to a set of entities which can be filtered through RLS and filtered relationships. This set of permissions being assignable via a group membership.

So group A can read/modify/delete all Persons whose Main Language is English and can as well read only their Main Address albeit a subset of its fields, like it could be for all Persons. And to make things extra spicy, we would want custom field level policies too, to read or modify.

This capability is very similar to what the platform NoLoCo allows.

We are currently exploring a traditional SQL based approach with PostgreSQL and I was wondering if there are patterns to consider when considering OpenFGA for the AuthZ layer ?

My feeling for OpenFGA would be to dynamically modify the security policies on edit, in the sense that a new entity type creation would eventually modify security policies and to implement relevant field level policies for CRUD operations at an API layer and only have OpenFGA provide at best allow/deny and metadata.