consider the following: if i have a user with thes...
# helpj
Jesum Yip
03/23/2023, 6:13 AMconsider the following: if i have a user with these attributes:
1. Name = John
2. Age = 35
3. Location = Moon
I then model these derived roles:
1. Derived Role = "middle-class-user" if Age = 35
2. Derived Role = "super-user" if Name = John AND Age > 30
In this case, when cerbos evaluates a derived role, it will arbitrarily decide whether the user is "middle-class-user" or "super-user" correct? This is due to the ambiguity of the derived role policy?
Jesum Yip
03/23/2023, 6:14 AMand this really depends in which order the derived roles get evaluated, which is something we can't control and we should not rely on.
Jesum Yip
03/23/2023, 6:14 AMis this understanding correct?
d
Dennis (Cerbos)
03/23/2023, 6:17 AM
John will have both derived roles.
Dennis (Cerbos)
03/23/2023, 6:19 AM
A principal can have multiple “parent” roles. In the same way, a principal can have multiple “derived” roles.
j
Jesum Yip
03/23/2023, 6:21 AMoooooooh. so if i write a policy that gives access to "super-user" only, then John will be given EFFECT.ALLOW
Jesum Yip
03/23/2023, 6:21 AMok very nice!
13 Views