How would you approach building an authorization-aware search/filtering functionality? It seems like you'd either need to ship all of the search/filtering attributes into the authz system, or you'd need to materialize a view of the access graph back into the product's database and join on it when searching.
That's definitely one of the more complicated problems. One way we've considered approaching it is to allow customers to attach metadata to resources they manage via Warrant and allow them to query (or search) against this metadata. This obviously has its trade-offs (requires duplicating/syncing of data with Warrant), so we're still exploring solutions.
