I oftentimes use UDFs with the @role decorator to perform data access checks before returning data, rather than relying on pure ABAC roles. My problem is when I need to return enough data from these UDFs that I need to paginate to load that data in my client.
Paginating on embedded sets returned by a UDF happens outside the privilege of that UDF, and so any data retrieval done this way must either be covered by ABAC roles or a custom UDF that manually performs pagination.
I’d like to be able to generate a secure embedded set or cursor that is bound to a specific identity so that that identity can pull the pages of data outside the context of the original UDF.