https://cerbos.dev logo
#help
Title
# help
a

Alex Ermolin

05/10/2023, 8:36 AM
Hi cerbos team, quick question. From what I understand, if there are 2 rules that apply for a given input - the DENY rule takes precedence I want to have rules to deny access to a resource based on attr conditions, for all roles, except for a superUser role. What is the best way to do that? Is there maybe a way to specify that the superUser roles has EFFECT_ALLOW for all actions - and to specify that this rule overrides every other rule?
a

Andrew Haines (Cerbos)

05/10/2023, 8:42 AM
DENY rules always take precedence, so it's not possible to do exactly what you're describing. Could you either • invert the conditions and use ALLOW rules to implement your resource permissions, or • only list the roles you want to deny access to on the rule, so that it doesn't apply to the superUser role?
a

Alex Ermolin

05/10/2023, 8:45 AM
The first option I think might lead to duplications. About the second option - is it possible maybe to specify something like inverse match regex in roles:
roles: "^(superUser)
Alternatively, is it possible to achieve that with PrincipalPolicies?
Here is an example of what I would like to do
Copy code
- actions: ["*"]
      effect: EFFECT_ALLOW
      roles:
        - superUser

    - actions: ["*"]
      effect: EFFECT_DENY
      roles: ["*"]
      condition:
        match:
          expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"

    - actions: [ "*" ]
      effect: EFFECT_ALLOW
      roles: [ "*" ]
      condition:
        match:
          all:
            of:
              - expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"
              - none:
                  of:
                    - expr: P.attr.clearance == "TopSecret"
                    - expr: P.role == "SuperUser" # Does something like this exists?
a

Andrew Haines (Cerbos)

05/10/2023, 9:23 AM
Principal policies only work for a specific principal ID (not a whole role). You could probably define a derived role like this
Copy code
apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: common
  definitions:
    - name: notSuperUser
      parentRoles:
        - foo
        - bar
        - every role that isn't superUser...
a

Alex Ermolin

05/10/2023, 9:25 AM
That's a good idea, thanks!
a

Andrew Haines (Cerbos)

05/10/2023, 9:26 AM
No problem 🙂
9 Views