Jesum Yip

03/23/2023, 6:13 AM
consider the following: if i have a user with these attributes: 1. Name = John 2. Age = 35 3. Location = Moon I then model these derived roles: 1. Derived Role = "middle-class-user" if Age = 35 2. Derived Role = "super-user" if Name = John AND Age > 30 In this case, when cerbos evaluates a derived role, it will arbitrarily decide whether the user is "middle-class-user" or "super-user" correct? This is due to the ambiguity of the derived role policy?
and this really depends in which order the derived roles get evaluated, which is something we can't control and we should not rely on.
is this understanding correct?

Dennis (Cerbos)

03/23/2023, 6:17 AM
John will have both derived roles.
A principal can have multiple “parent” roles. In the same way, a principal can have multiple “derived” roles.

Jesum Yip

03/23/2023, 6:21 AM
oooooooh. so if i write a policy that gives access to "super-user" only, then John will be given EFFECT.ALLOW
ok very nice!