Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

cerbos, seems pretty cool - wondering if I can combine derivedRoles w/ a logical AND op when I write resourcePolicy

or does that implicitly involve role inheritance (and is hence not supported)

for example say I have derivedRole based on locale then a derivedRole based on function (ex: manager)

i want to write a resourcePolicy that allows Florida based managers to perform some action

I know I can create  “Florida_manager” derivedRole

Thanks. I got your use case.
That’s not supported now, but we are considering adding it.

can you recommend a best practice for this at the moment

This is the approach of creating “Florida_manager” roles unfortunately, but as a temporary workaround, you can use Yaml manipulation tools to avoid copy-pasting.

what are some yaml manipulation would you recommend for this - im familiar w yq

<https://carvel.dev/ytt/|ytt> is my personal favourite.

<@U0283CLRWG6> or <@U04PGHZ84F8> - in defining a derivedRole - looks like parentRoles have to original id issuer role (or whatever I choose to stick into the request in the _roles_ [] list) it _cannot_ be another derived role - can you confirm?

Correct, you can’t use another derived role as a parent role. You can only reference roles that you pass in the request, with the exception of using wildcards.

ok makes sense - back to the whole ‘no role hierarchy’ as a intentional design choice, makes sense

since I’m mostly using attributes to determine derivedRoles

No, there’s NO notion of a default parent role, but you can use `*`meaning any role.

ok playing w/ ytt - can someone point me to a cerbos specific example - maybe <@U0283CLRWG6> cc <@U02D2JSV745>

I don’t think we have a public example with ytt.

got it, I have something I can push if there is repo where that makes sense

Please push to your own repo and share the link on <#C028A53GAJE|community>