Title
h
Hugo Tiem
03/30/2023, 3:33 PMHi, i'm currently working on some permissions on Cerbos Playground but tests results doesn't match with conditions i set for each role in my resource and i dont understand why. Thanks
c
Charith (Cerbos)
03/30/2023, 3:34 PMDo you have the link to the playground?
There doesn't seem to be any tests in that playground instance
h
Hugo Tiem
03/30/2023, 3:55 PMyes you right. i forgot to save it. but i set some principals and resource on the right side and it says denied
c
Charith (Cerbos)
03/30/2023, 3:57 PMCan you give me an example of a principal, resource and action that you used and got an unexpected result for?
h
Hugo Tiem
03/30/2023, 4:06 PMprincipals :
{
"id": "member123",
"roles": [
"MEMBER"
],
"attr": {
"user": {
"employeeId": "test"
}
}
}
{
"id": "owner123",
"roles": [
"OWNER"
],
"attr": {}
}{
"id": "manage_content_id",
"kind": "content",
"attr": {
"author": {
"userId": "owner123",
"employeeId": "test",
"user": {
"organisation": {
"employees": [
"member123"
],
"owners": [
"owner123"
],
"managers": [
"manager123"
]
}
}
}
}
}c
Charith (Cerbos)
03/30/2023, 4:23 PMI don't see any problem. I am guessing that the cause of your confusion is you're mixing up roles and derived roles. Derived roles are something that Cerbos decides based on the request data. All your derived roles are based on the
parentRoleuseruserTry with a principal like the following and you'll start seeing your expected results.
{
"id": "member123",
"roles": [
"user"
],
"attr": {
"user": {
"employeeId": "test"
}
}
}We have an explanation of the difference between roles and derived roles at the bottom of the page here: https://docs.cerbos.dev/cerbos/latest/policies/derived_roles.html
h
Hugo Tiem
03/30/2023, 4:48 PMoh yes i see. i did miss that part. Anyway it works now, thank you!