Hi cerbos team quick question From what I understand if ther

Question

Hi cerbos team quick question From what I understand if there are 2 rules that apply for a given input the DENY rule takes precedence I want to have rules to deny access to a resource based on attr conditions for all roles except for a superUser role What is the best way to do that Is there maybe a way to specify that the superUser roles has EFFECT ALLOW for all actions and to specify that this rule overrides every other rule

Andrew Haines (Cerbos) · Answer

DENY rules always take precedence so it s not possible to do exactly what you re describing Could you either invert the conditions and use ALLOW rules to implement your resource permissions or only list the roles you want to deny access to on the rule so that it doesn t apply to the superUser role

Alex Ermolin · Answer

The first option I think might lead to duplications About the second option is it possible maybe to specify something like inverse match regex in roles `roles ^ superUser `

Alex Ermolin · Answer

Alternatively is it possible to achieve that with PrincipalPolicies

Alex Ermolin · Answer

Here is an example of what I would like to do ``` actions effect EFFECT ALLOW roles superUser actions effect EFFECT DENY roles condition match expr R attr email == actions effect EFFECT ALLOW roles condition match all of expr R attr email == none of expr P attr clearance == TopSecret expr P role == SuperUser Does something like this exists ```

Andrew Haines (Cerbos) · Answer

Principal policies only work for a specific principal ID not a whole role You could probably define a derived role like this ```apiVersion api cerbos dev v1 derivedRoles name common definitions name notSuperUser parentRoles foo bar every role that isn t superUser ```

Alex Ermolin · Answer

That s a good idea thanks

Andrew Haines (Cerbos) · Answer

No problem slightly smiling face