Veeral Patel
04/30/2023, 7:12 PMCharith (Cerbos)
05/01/2023, 8:07 AMaction
with the field in your policy rules. For example: action could be age:edit
and then define the conditions for editing the age field. Cerbos supports hierarchical naming for actions using the :
delimiter so you get the ability to do things like allowing all actions on a field by writing a wildcard like age:*
as well.
rules:
- actions: ['age:*']
effect: EFFECT_ALLOW
derivedRoles:
- owner
Veeral Patel
05/01/2023, 1:36 PMage:create
, age:edit
, age:read
.
What if I had a PersonField
resource and tied that to my Person
resource? Then to edit a field you need to have permission on the PersonField
(column level security) and parent Person
(row level security)
Is this a feasible approach with Cerbos?Charith (Cerbos)
05/01/2023, 1:57 PMVeeral Patel
05/01/2023, 2:56 PMCharith (Cerbos)
05/01/2023, 3:37 PMPerson
and PersonField
in the same request. When it returns, you'll have to check that both returned ALLOW.
The other way to do this is to do the row check first and include that as an attribute in the request to the column check so that those checks are implicitly linked.Veeral Patel
05/02/2023, 3:31 AM