• r

    Rounak Datta

    1 month ago
    I'm trying to set up containerized Cerbos in my Gradle-based project. I'm using
    bmuschko/gradle-docker-plugin
    for spinning up the container in the Gradle bootstrap script. The plugin uses /bin/sh to log into the container and run a healthcheck command. However the plugin supports only POSIX shells: https://github.com/bmuschko/gradle-docker-plugin/blob/master/gradlew#L32 and I noticed that Cerbos Dockerfile uses alpine & doesn't have /bin/sh. Do you have any suggestions around this?
    r
    Charith (Cerbos)
    3 replies
    Copy to Clipboard
  • v

    Viet Au

    1 month ago
    Hi, When storing policies in a database I can see that the policy table has a disabled column that defaults to false. Is there a way of setting this through the admin api?
    v
    Charith (Cerbos)
    2 replies
    Copy to Clipboard
  • r

    Rounak Datta

    1 month ago
    Hello, consider a SaaS ecosystem where you have the following hierarchy: tenant->team->project. Now let's say someone is viewer for a tenant, that person should be by default viewer for every project under every team in that tenant. How do we achieve this using scoped policies?
    r
    Charith (Cerbos)
    +1
    6 replies
    Copy to Clipboard
  • Emre (Cerbos)

    Emre (Cerbos)

    1 month ago
    Hi 👋 @Ryan Killeen, welcome to the Cerbos community! How can we help you?
  • r

    Ryan Killeen

    1 month ago
    Hey @Emre (Cerbos), nice to be here! I'm evaluating Cerbos to replace a custom permissions system, joined to ask a few questions, and found them all answered already (plus learned a few cool things along the way!)
  • r

    Ryan Killeen

    1 month ago
    If there's any guidance around migrating a legacy system I'd love to hear it, but I believe Cerbos sets us up to model our current resources and match against old "roles" and permissions fairly painlessly.
    r
    Steve High (NTWRK)
    +1
    3 replies
    Copy to Clipboard
  • r

    Ryan Killeen

    1 month ago
    Another question I've been mulling over, around custom permissions: Right now we enable tenants to heavily customize roles and permissions. Trying to model this the Cerbos way, I believe that custom "roles" are a user-facing label around sets of attributes that we can then derive roles from in Cerbos policies, rather than trying to make Cerbos custom-role aware or updating policies. Does that sound like the right approach? If there's any exceptions or gotcha or "you might want to update policies if" type thoughts, would love to hear them! (So much for not having questions 😄 )
    r
    Alex Olivier (Cerbos)
    4 replies
    Copy to Clipboard
  • Rob Crowe

    Rob Crowe

    1 month ago
    For policies that have a time based element to the condition, for example
    timestamp(P.attr.some_claim).timeSince() < duration("1h")
    . Is there a good way to make those policy tests deterministic?
    P.attr.some_claim
    is hardcoded RFC3339 in the test &
    timeSince()
    uses the current server time.
    Rob Crowe
    Charith (Cerbos)
    +1
    10 replies
    Copy to Clipboard
  • r

    Ryan Killeen

    1 month ago
    One question: is it possible to run the sandbox locally?
    r
    Alex Olivier (Cerbos)
    +1
    6 replies
    Copy to Clipboard
  • a

    Alexander Ramin

    1 month ago
    Morning, I have a question that I may already know the answer to 😉, but would like an opinion. I have a resource -
    Account
    These Accounts can be of
    Staff
    or
    Customer
    Accounts. I have a scenario where I want to grant certain principals permission to Update Staff Accounts. Every other principal should not be able to update staff accounts (but may update Customer Accounts). What I tried was adding a check for the Resource Attribute in the Principal Policy. e.g.
    # Principal Policy
    
     derivedRoles:
      name: foo
      definitions:
        - name: foo.admin
          condition:
            match: V.is_staff & R.attr.is_staff_account == true
        - name: foo.dev
          condition:
            match: V.is_staff & R.attr.is_staff_account == false
    Is this just a bad idea? Would it be better to just create separate
    StaffAccount
    and
    CustomerAccount
    Resources instead of checking the resource attribute in the principal policy? Thanks a lot.
    a
    Charith (Cerbos)
    2 replies
    Copy to Clipboard