Another question is it possible to check for the existance of a partial object in an array of object. let say we have

[{companyId: "company1"}, {companyId: "company2"}]

and I want to do something like

{companyId: request.principal.attr.companyId} in request.resource.attr.companies

using mysql socket failes within google cloud run. 1: is this dsn allowed? / are socket connections are supported by cerbos "${DATABASE_USER}:${DATABASE_PASSWORD}@tcp(localhost:3307)/${DATABASE_NAME}?socket=${DATABASE_SOCKET}" 2: i had to escape the socket-path as %2Fcloudsql%2F<sql-connection-name> instead of /cloudsql/<sql-connection-name> Is this the right escape-method? what should be used here? i also tried $2F and //

Are there any plans for extending [orm-prisma](https://github.com/cerbos/query-plan-adapters/tree/main/prisma). I started using it yesterday but it is quite limited in it current state 🙂 I added support for the exists and size operator in a very crude way.

Hi, I'm trying to deploy cerbos to cloud run. Is exposing cerbos with a public endpoint a security concern or is there another way to secure cerbos? Because cloud run doesn't support sidecar containers and doesn't make it easy to let cloud run services connect to each other privately.

cerbos, seems pretty cool - wondering if I can combine derivedRoles w/ a logical AND op when I write resourcePolicy

is this https://github.com/cerbos/cerbos/blob/main/api/public/cerbos/policy/v1/policy.proto the closest thing to a schema for refrence if I feel like the examples are not cutting it

Hi all, I am working on a POC. Have the following requirements. • Only selected users within a teanant can view selected forms • Users can be a part of a group, and creation/updation would be dynamic from UI. How can I achieve this with cerbos?

We have a use case that requires an approach for managing roles and permissions. In our system, there are static roles like "system-administration" that are not tied to any specific company or project. These roles should not be altered or updated except during system deployments. We also want to enable company administrators to manage their own roles and permissions dynamically. For example, "Project A" might have three distinct roles with varying access levels (admin, manager, user), while "Project B" could have only two roles, each with its own permission roles (administrator and user). These roles are specific to individual projects, but the available actions within the company and projects are predefined by us. How can we establish policies to verify role permissions for each specific project, considering that the roles are dynamic?

Hey, Cerbos team. We are having a problem with cerbos instance running in lambda. Could you please help us understand what is wrong?

Hi, Cerbos team, First of all thank you for this great product! We started using it to implement authorization for our saas system. We have a backend written in python fastapi that will handle verifying that logged in users have the necessary permissions. We want to define in the code what kinds of resources exist and. what actions are defined for each user, so that each service can use values from those classes, instead of strings when calling cerbos. We thought of using pydantic models for that, since fastapi is tightly integrated with the pydantic ecosystem. Is there maybe an example blueprint of what is the recommended way to do it?

Hello Cerbos team/community! What's the best way of representing relationships that are "delegating"? For instance, I have two checks: 1. Can principal P book hotel room R? 2. Can principal P book a room in hotel H? I want these two to be separate resource policies on hotel room (R) and hotel (H). I would like there to be a default policy such that the answer to policy 1: "Can principal P book hotel room R?" actually delegates to policy 2 "Can principal P book a room in hotel H". R has an attribute that includes hotel_id on it. This seems like a common pattern, what's the best way of thinking about this conceptually in Cerbos land? Thanks!

Hi cerbos team, quick question. From what I understand, if there are 2 rules that apply for a given input - the DENY rule takes precedence I want to have rules to deny access to a resource based on attr conditions, for all roles, except for a superUser role. What is the best way to do that? Is there maybe a way to specify that the superUser roles has EFFECT_ALLOW for all actions - and to specify that this rule overrides every other rule?

Hi Cerbos team. Is it possible to send in attributes for all associated projects? Say that a user is associated with 3 different projects. The user has different roles in different projects. Can I send the complete project state in the principal attributes, and then check if the principal has access to a resource based on the parent project of the resource? For example:

{
  id: 'john',
  attr: {
    projects: [{id: 1, role: 'user'},{id: 2, role: 'manager'},{id: 3, role: 'owner'}]
  }
}

with a resource like

{
  "kind": "file",
  "attr": {
    "parentProjectId": 1,
    "name": "taxes.txt",
    "createdAt": "2023-05-011T10:00:00.021-05:00"
  }
}

and then create a derived role like

derivedRoles:

  definitions:
    - name: project_owner
      condition:
        match:
          expr: <check if the role is 'owner' in the element of P.attr.projects with the id matching the R.attr.parentProjectId>

Is it possible to write such a match-string? I know I can single out the project before sending the check, but if I can send the whole project state of a user (that rarely changes) it would be preferred.

so I want to implement a custom function that given an array and some integer n returns all possible n-sized combinations of elements w/in the array - is implementing this as custom function the best way? are the modules I can import that implement stuff like this? maybe @Dennis (Cerbos) or @Alex Olivier (Cerbos)

Q: Does serverInfo return a success mean the policies have been loaded correctly as well? I’m moving cerbos from a server model behind an load balancer to a sidecar, meaning it’ll be deployed far more frequently and want to make sure 🙂

i'm using below snippent to add or update the policy.

func (c *Client) AddOrUpdatePolicy(ctx context.Context) error {
    policySet := &cerbosclient.PolicySet{}
    if err := c.CerbosAdminClient.AddOrUpdatePolicy(ctx, policySet); err != nil {
        c.log.Errorf("Failed to add or update policy", err)
        return err
    }

    return nil
}
it is nt working, can someone help me on this

hello. according to https://docs.cerbos.dev/cerbos/latest/policies/compile.html#_running_tests,

To run the tests, provide the path to the tests directory using the --tests flag.

However, I've found that if I do not provide the

--tests

flag, the

cerbos

binary still goes ahead and self-discovers the test yamls and runs them.

hi all - thank for your help so far, if there a way to use s.think like regex to define a resource policy where derived role naming choices/convention can be leveraged - example in thread

have my basic set of policies - currently using the recommended docker-powered test approach to validate/test - ex:

docker run -i -t -v /path/to/policy/dir:/policies <http://ghcr.io/cerbos/cerbos:0.26.0|ghcr.io/cerbos/cerbos:0.26.0> compile /policies

however I notice that I have to place all of my resources in a single flat directory structure , so I get a role import error w/in my resourcePolicy doc when I try to keep thing tidy w/ /policies/derivedRoles and /policies/resources - whats the quick fix here? Thank you Cerbos - sorry for @ing ppl

Hi Cerbos - another question say I have a backend endpoint w/ some path /base_path/list_all_widgets Normally GETting on this would returns all widgets - some of those are type A, B, C.. etc now I have derivedRoles, say A-Read, B-Read, . .etc. given that most example I see have the cerbos.isAllowed(..) call take place before hitting the resource in question - how should I approach this case? • Is it even correct to think of /base_path/list_all_widgets as a single resource? ◦ should I create some new paths: /base_path/list_widgets/arg=widget_type and /base_path/list_allowed_widget_types? • Is there a good example of how to handle this kind of case? •

Hi Cerbos team, I have several questions Let's start with my requirement, i do want to make a file storage system that the user who upload files can expose file(read, write) public or private also share to specific organize, team, person so, I made a simple request and policy like this in reply (I think it's too long)

any chatter around github flakiness impacting git stored policies? now that i’m moving to a sidecar model we’re pulling down the policies on every deploy. seeing some flakiness spinning things up.

Is it possible to push the authorization check into the service mesh? For example, I can push authentication into the service mesh by configuring istio to not allow connections without a valid JWT, and redirect users to get a JWT if they don't have one, then validate the ones that do exist prior to sending connections to my service. Can I do the same thing at the service mesh level to either prevent network requests from even hitting my system if they aren't allowed by the rules, or block or filter responses if the resources returned also fail rules with the user principle from istio?

Hi, is it possible to set up cerbos with an github app installation token instead of a PAT?

Hello, We are studying Cerbos and I have a question - I'm exploring the multi-tenant SaaS demo and I'm probably missing something. We have a multi-tenant solution that manages companies in which a user can be a Project Manager in one company and a Company Administrator in another company. The companies, users and their role mappings are all managed in MySQL database (Python Django based application with DRF). I'm not clear what is the right approach to handle this scenario with Cerbos. AFAIU, the multi-tenant SaaS demo is built with a single role per user and users only exist in a single tenant. What happens if my role is context aware to the specific company I'm currently working in, but I can have multiple roles? can you direct me to the right place in docs or a sample? Thx

Hello guys! Is there some mechanism for role inheritance? For example, say I have 3 policies A, B, C and 3 roles. Role 1 can access policy A, role 2 can access policy B and role 3 can access policy C. What would be the best way of defining a role 4 such that it inherits all the policies of roles 1 and 2 (i.e. A and B, but not C) aside from creating the new role and manually changing my policies? Is this something that could be done with derived roles?

hey team... we're reviewing using Cerbos in a multitenant ROR app. it has system-defined roles (eg. users can do X, admins can do X+Y), but down the line we'll need to support admins creating other policies (eg. guests can do some of X and have read access to specific records). How can these dynamic policies be achieved with Cerbos without hardcoding them into a yml file? Thanks

Hello guys! I’m trying to adopt Cerbos to power our org needs and so far with static roles definitions it looks really good. However, I’m now coding a POC to allow users to configure roles for other users and I couldn’t find any querying mechanism to fetch policies say by

scope

or

resource kind

or both. The only way to do that is

.list()

method which seems to be highly inefficient with

1000s

of items in the DB. The why: tenants may override/create their own roles based on the list of available resources (fetched from authorization server policies) and their actions (extracted from policies). Is that even possible? Thank you 🙏

Hey guys! Question about performance. Let’s say at some point FGA will be needed, there will be Resource Policies per individual object (

kind: Parent.Entity.aFhAsd273hd2asda

). This might grow to 100k+ policies in DB. How does Cerbos behave at a scale?

Hi Guys, I am trying to get up and running with Cerbos for local development ideally using docker compose, are there any guides covering this? Keeping in mind that I'd interacting with Cerbos from a node.js application, Thanks 🙏