https://cerbos.dev logo
#community
Title
# community
v

Veeral Patel

04/30/2023, 7:12 PM
Hi - thanks for this great project! Two requirements I have: 1. Field level security When creating a policy, I want to be able to specify which fields in the resource the principal has access to, and which actions are allowed per field 2. Allowed values per field When creating a policy, for a certain field, say age, I want to be able to create an expression which whitelists allowed values for that field. For instance: "age > 0 && age < 18" CEL should work here but need some way to tied a condition to a field not to the entire resource Is this possible easily? Thank you 🙏
c

Charith (Cerbos)

05/01/2023, 8:07 AM
Hi. Yes, it's possible with a bit of creative policy rule writing. You can prefix the
action
with the field in your policy rules. For example: action could be
age:edit
and then define the conditions for editing the age field. Cerbos supports hierarchical naming for actions using the
:
delimiter so you get the ability to do things like allowing all actions on a field by writing a wildcard like
age:*
as well.
Copy code
rules:
    - actions: ['age:*']
      effect: EFFECT_ALLOW
      derivedRoles:
        - owner
v

Veeral Patel

05/01/2023, 1:36 PM
Hi @Charith (Cerbos), thank you. So you are suggesting having actions like
age:create
,
age:edit
,
age:read
. What if I had a
PersonField
resource and tied that to my
Person
resource? Then to edit a field you need to have permission on the
PersonField
(column level security) and parent
Person
(row level security) Is this a feasible approach with Cerbos?
c

Charith (Cerbos)

05/01/2023, 1:57 PM
You could model it that way too. But, you could probably delegate the "row-level" checks to a derived role instead of a dedicated policy, unless you have a very complicated set of rules you want to enforce at that level.
v

Veeral Patel

05/01/2023, 2:56 PM
Thanks. Unfortunately, myy row level checks are quite complicated. I will need to use scoped policies
What I'm struggling with is how do I express something like: A user can read a PersonField in a Person row if they have read access to the PersonField (policy 1), and also access to the row (policy 2) Basically given a CheckPermissions request I need to evaluate a policy for the resource, and another sub-policy for each field. Is this possible?
c

Charith (Cerbos)

05/01/2023, 3:37 PM
Well, you'll have to do this on the client side. The request is a batch one, so you can include the check for the
Person
and
PersonField
in the same request. When it returns, you'll have to check that both returned ALLOW. The other way to do this is to do the row check first and include that as an attribute in the request to the column check so that those checks are implicitly linked.
v

Veeral Patel

05/02/2023, 3:31 AM
Thank you, this solves my problem!
13 Views