https://cerbos.dev logo
Join Slack
Powered by
Hi - thanks for this great project! Two requiremen...
# community
v
Hi - thanks for this great project! Two requirements I have: 1. Field level security When creating a policy, I want to be able to specify which fields in the resource the principal has access to, and which actions are allowed per field 2. Allowed values per field When creating a policy, for a certain field, say age, I want to be able to create an expression which whitelists allowed values for that field. For instance: "age > 0 && age < 18" CEL should work here but need some way to tied a condition to a field not to the entire resource Is this possible easily? Thank you 🙏
c
Hi. Yes, it's possible with a bit of creative policy rule writing. You can prefix the 
action
with the field in your policy rules. For example: action could be 
age:edit
and then define the conditions for editing the age field. Cerbos supports hierarchical naming for actions using the 
:
delimiter so you get the ability to do things like allowing all actions on a field by writing a wildcard like 
age:*
as well.
Copy code
rules:
    - actions: ['age:*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - owner
v
Hi @Charith (Cerbos), thank you. So you are suggesting having actions like 
age:create
, 
age:edit
, 
age:read
. What if I had a 
PersonField
resource and tied that to my 
Person
resource? Then to edit a field you need to have permission on the 
PersonField
(column level security) and parent 
Person
(row level security) Is this a feasible approach with Cerbos?
c
You could model it that way too. But, you could probably delegate the "row-level" checks to a derived role instead of a dedicated policy, unless you have a very complicated set of rules you want to enforce at that level.
v
Thanks. Unfortunately, myy row level checks are quite complicated. I will need to use scoped policies
What I'm struggling with is how do I express something like: A user can read a PersonField in a Person row if they have read access to the PersonField (policy 1), and also access to the row (policy 2) Basically given a CheckPermissions request I need to evaluate a policy for the resource, and another sub-policy for each field. Is this possible?
c
Well, you'll have to do this on the client side. The request is a batch one, so you can include the check for the 
Person
and 
PersonField
in the same request. When it returns, you'll have to check that both returned ALLOW. The other way to do this is to do the row check first and include that as an attribute in the request to the column check so that those checks are implicitly linked.
v
Thank you, this solves my problem!
13 Views
Open in Slack
PreviousNext
Powered by