Title
v
Veeral Patel
04/30/2023, 7:12 PMHi - thanks for this great project! Two requirements I have:
1. Field level security
When creating a policy, I want to be able to specify which fields in the resource the principal has access to, and which actions are allowed per field
2. Allowed values per field
When creating a policy, for a certain field, say age, I want to be able to create an expression which whitelists allowed values for that field. For instance: "age > 0 && age < 18"
CEL should work here but need some way to tied a condition to a field not to the entire resource
Is this possible easily? Thank you 🙏
c
Charith (Cerbos)
05/01/2023, 8:07 AMHi. Yes, it's possible with a bit of creative policy rule writing. You can prefix the
actionage:edit:age:*rules:
- actions: ['age:*']
effect: EFFECT_ALLOW
derivedRoles:
- ownerv
Veeral Patel
05/01/2023, 1:36 PMHi @Charith (Cerbos), thank you. So you are suggesting having actions like
age:createage:editage:readPersonFieldPersonPersonFieldPersonc
Charith (Cerbos)
05/01/2023, 1:57 PMYou could model it that way too. But, you could probably delegate the "row-level" checks to a derived role instead of a dedicated policy, unless you have a very complicated set of rules you want to enforce at that level.
v
Veeral Patel
05/01/2023, 2:56 PMThanks. Unfortunately, myy row level checks are quite complicated. I will need to use scoped policies
What I'm struggling with is how do I express something like:
A user can read a PersonField in a Person row if they have read access to the PersonField (policy 1), and also access to the row (policy 2)
Basically given a CheckPermissions request I need to evaluate a policy for the resource, and another sub-policy for each field. Is this possible?
c
Charith (Cerbos)
05/01/2023, 3:37 PMWell, you'll have to do this on the client side. The request is a batch one, so you can include the check for the
PersonPersonFieldv
Veeral Patel
05/02/2023, 3:31 AMThank you, this solves my problem!