Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi! Is there any way I can check for both a derived role and an expression in a policy (or if not, at least to check that two derived roles are met simultaneously)? Thanks!

Yup this works by defining the expressions on the rule which also checks for a derived role.

Take a look at the `view:approver` action in this example: <https://play.cerbos.dev/p/XhkOi82fFKk3YW60e2c806Yvm0trKEje>

Thanks, that works! Is there any option for the policy needing to meet at least two derived roles? 

If I understand you correctly, it's not possible to specify that the principal _must_ have `derived_role_a AND derived_role_b`.  If you want to ensure that both conditions from those derived roles have been met, you'd need to define a third derived role that encompasses both conditions and write your policy rule targeting only that new derived role.