Hi. I see that client keys and roles and the public permission were deprecated in 2.12.0 in favor of ABAC. I see in the docs how to use ABAC for authenticated users, but what’s the best practice for unauthenticated?
I have two scenarios. In one, most like the client role access, unauthenticated users only have read access. Perhaps I just create a single user with an empty password to represent all unauthenticated users and use that for ABAC? And then make it impossible to sign into that user normally?
In the other scenario, unauthenticated users can create content and then I want them to be able to create an account and claim their content. If they never create an account then I can clean up unclaimed content, as well as their unclaimed unauthenticated user records, out in background jobs. Perhaps I create multiple users for unauthenticated users with empty passwords in that case, and “creating an account” means adding a real user name and password to the formerly-anonymous user record?
If I missed docs about this, apologies: please send them over.