https://cerbos.dev logo
#help
Title
# help
h

Hugo Tiem

03/30/2023, 3:33 PM
Hi, i'm currently working on some permissions on Cerbos Playground but tests results doesn't match with conditions i set for each role in my resource and i dont understand why. Thanks
c

Charith (Cerbos)

03/30/2023, 3:34 PM
Do you have the link to the playground?
There doesn't seem to be any tests in that playground instance
h

Hugo Tiem

03/30/2023, 3:55 PM
yes you right. i forgot to save it. but i set some principals and resource on the right side and it says denied
c

Charith (Cerbos)

03/30/2023, 3:57 PM
Can you give me an example of a principal, resource and action that you used and got an unexpected result for?
h

Hugo Tiem

03/30/2023, 4:06 PM
principals :
Copy code
{
  "id": "member123",
  "roles": [
    "MEMBER"
  ],
  "attr": {
    "user": {
      "employeeId": "test"
    }
  }
}

{
  "id": "owner123",
  "roles": [
    "OWNER"
  ],
  "attr": {}
}
and resource
Copy code
{
  "id": "manage_content_id",
  "kind": "content",
  "attr": {
    "author": {
      "userId": "owner123",
      "employeeId": "test",
      "user": {
        "organisation": {
          "employees": [
            "member123"
          ],
          "owners": [
            "owner123"
          ],
          "managers": [
            "manager123"
          ]
        }
      }
    }
  }
}
c

Charith (Cerbos)

03/30/2023, 4:23 PM
I don't see any problem. I am guessing that the cause of your confusion is you're mixing up roles and derived roles. Derived roles are something that Cerbos decides based on the request data. All your derived roles are based on the
parentRole
of
user
. However, in your request, instead of saying that the principal's role is
user
, you're sending the name of the derived role.
Try with a principal like the following and you'll start seeing your expected results.
Copy code
{
  "id": "member123",
  "roles": [
    "user"
  ],
  "attr": {
    "user": {
      "employeeId": "test"
    }
  }
}
We have an explanation of the difference between roles and derived roles at the bottom of the page here: https://docs.cerbos.dev/cerbos/latest/policies/derived_roles.html
h

Hugo Tiem

03/30/2023, 4:48 PM
oh yes i see. i did miss that part. Anyway it works now, thank you!
9 Views