David Nilsdotter
05/09/2023, 12:56 PMAndrew Haines (Cerbos)
DENY
rules to create more limited roles within each tenant/project. By using DENY
rules instead of ALLOW
at this layer, it prevents you from accidentally granting permissions that weren't granted in the root scope "system" policies.
There's a (static) example of this setup here: https://github.com/cerbos/demo-multitenant-saas
You'd have to build a layer that translates your roles & permissions UI into Cerbos policies and calls the Admin API to apply updates.
For approach 2, you'd store the custom roles and permissions in a database somewhere and pass them to Cerbos as principal attributes, keeping your Cerbos policies static but using the principal attributes in conditions in derived roles and/or resource policies.
Approach 2 is probably easier unless your dynamic roles system is very sophisticated.David Nilsdotter
05/09/2023, 1:30 PM