Alex Ermolin
05/10/2023, 8:36 AMAndrew Haines (Cerbos)
05/10/2023, 8:42 AMAlex Ermolin
05/10/2023, 8:45 AMroles: "^(superUser)
- actions: ["*"]
effect: EFFECT_ALLOW
roles:
- superUser
- actions: ["*"]
effect: EFFECT_DENY
roles: ["*"]
condition:
match:
expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"
- actions: [ "*" ]
effect: EFFECT_ALLOW
roles: [ "*" ]
condition:
match:
all:
of:
- expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"
- none:
of:
- expr: P.attr.clearance == "TopSecret"
- expr: P.role == "SuperUser" # Does something like this exists?
Andrew Haines (Cerbos)
05/10/2023, 9:23 AMapiVersion: api.cerbos.dev/v1
derivedRoles:
name: common
definitions:
- name: notSuperUser
parentRoles:
- foo
- bar
- every role that isn't superUser...
Alex Ermolin
05/10/2023, 9:25 AMAndrew Haines (Cerbos)
05/10/2023, 9:26 AM