Hello Cerbos team/community! What's the best way of representing relationships that are "delegating"? For instance, I have two checks: 1. Can principal P book hotel room R? 2. Can principal P book a room in hotel H? I want these two to be separate resource policies on hotel room (R) and hotel (H). I would like there to be a default policy such that the answer to policy 1: "Can principal P book hotel room R?" actually delegates to policy 2 "Can principal P book a room in hotel H". R has an attribute that includes hotel_id on it. This seems like a common pattern, what's the best way of thinking about this conceptually in Cerbos land? Thanks!

Hi, resource policies for different resource kinds are unrelated, so you’ll need to develop a single resource kind. Then I think you have some options: 1. Action-led. Actions can have wildcards. For example, in the application, you can use

book:room

/

book:hotel

actions. Then your resource policy can have different rules for

book:room

action and

book:*

action. The latter rule will be checked for both actions. 2. Using scoped policies.

Thanks for the response! Hmm, for 1 (action-led), does this work even if i need to evaluate for the specific instances of the resource? e.g. hotel room 123 and hotel 456, but only some principals can book hotel 456? In that case how would the

book:*

action work?

You can add more components to the action.

book:room:<room-id>:hotel:<hotel-id>

Then in the policies, you can have rules:

book:room:*:hotel:*

- booking any room in any hotel.

book:room:*:hotel:456

- booking any room in the specified hotel.

book:room:123:hotel:456

- booking the specified room in the specified hotel.

but only some principals can book hotel 456?

If the number of these principals is small, you may consider principal policies instead.