#Request to Restrict Entity Visibility Based on Logged-In User's Group Membership

Hello,
In my Developer Portal setup, I’m currently pulling Microsoft Graph Users and Groups. I would like to implement a rule that automatically filters out entities not associated with the logged-in user's group(s).

Use Case:
If a user belongs to the groups Teams Devs and Ops, and an entity in the catalog has the following YAML configuration:
spec: owner: RelMan

Then this entity should not be visible to that user, since RelMan is not one of their groups.

Current Behavior:
At the moment, all users can see all entities, regardless of their group membership or the spec.owner field.

Desired Behavior:
Entities should be automatically filtered so that users only see those where the spec.owner matches one of their group memberships.
Let me know if this is achievable via RBAC, custom filters, or if a plugin is needed.

Thank you in advance!

I am not 100% sure but I believe you can achieve this using the permission framework in Backstage.
You would then just create a policy for the catalogEntityReadPermission (probably should apply the other catalog permissions as well) which you can find here: https://github.com/backstage/backstage/blob/master/plugins/catalog-common/src/permissions.ts#L47

I feel like this is the complete opposite of what backstage is trying to achieve. It's for discoverability etc with in an agency not to hide content and be a segregated society.

I agree that sometimes you don't want 'certain' records to be seen by everyone, and to do this we used the backstage permissions framework and added a HAS_TAG verification check to template/entites.

They look for a specific label and that label identifies the 'Group Membership' needed to view/see that specific entity.