David Nilsdotter05/09/2023, 12:56 PM
Andrew Haines (Cerbos)
rules to create more limited roles within each tenant/project. By using
rules instead of
at this layer, it prevents you from accidentally granting permissions that weren't granted in the root scope "system" policies.
There's a (static) example of this setup here: https://github.com/cerbos/demo-multitenant-saas
You'd have to build a layer that translates your roles & permissions UI into Cerbos policies and calls the Admin API to apply updates.
For approach 2, you'd store the custom roles and permissions in a database somewhere and pass them to Cerbos as principal attributes, keeping your Cerbos policies static but using the principal attributes in conditions in derived roles and/or resource policies.
Approach 2 is probably easier unless your dynamic roles system is very sophisticated.
David Nilsdotter05/09/2023, 1:30 PM