Hello, one of your need is to have a UI where you can select a role (or a named group of permissions/permissions template) to see all the permissions that are associated to it. (And eventually edit it but not confirmed yet).
The closest I could find is /api/plan/resources but I'm not sur it works in this case.
Is there a way to do that with Cerbos or do I have to maintain this information in a separated DB? If that's the case, I guess I'm finding myself in a position where I need to bidirectionally sync my DB and Cerbos everytime there is a change? (Hence adding coupling)
Alex Olivier (Cerbos)
03/14/2023, 3:56 PM
Due to the way that the effective permissions are computed - through things like derived roles etc - it is tricky (but not impossible) to produce a list of permissions for a role as the result will be:
• only under some set of condition
If you take for example rules which match based on time of day, you will get back a different set of permissions depending when the request is made.
Generally we see just the roles being exposed in a UI to end users, and the nitty gritty Role<>Permissions logic kept just in the policies.
That said, with the Admin API you can fetch the policies currently being served from a Cerbos PDP and then derive this yourself into a UI.