Hi cerbos team quick question From what I understand if ther Cerbos Community #help

Hi cerbos team, quick question. From what I unders...

Alex Ermolin

05/10/2023, 8:36 AM

Hi cerbos team, quick question. From what I understand, if there are 2 rules that apply for a given input - the DENY rule takes precedence I want to have rules to deny access to a resource based on attr conditions, for all roles, except for a superUser role. What is the best way to do that? Is there maybe a way to specify that the superUser roles has EFFECT_ALLOW for all actions - and to specify that this rule overrides every other rule?

Andrew Haines (Cerbos)

05/10/2023, 8:42 AM

DENY rules always take precedence, so it's not possible to do exactly what you're describing. Could you either • invert the conditions and use ALLOW rules to implement your resource permissions, or • only list the roles you want to deny access to on the rule, so that it doesn't apply to the superUser role?

Alex Ermolin

05/10/2023, 8:45 AM

The first option I think might lead to duplications. About the second option - is it possible maybe to specify something like inverse match regex in roles:

roles: "^(superUser)

Alex Ermolin

05/10/2023, 8:48 AM

Alternatively, is it possible to achieve that with PrincipalPolicies?

Alex Ermolin

05/10/2023, 9:01 AM

Here is an example of what I would like to do

Copy code

- actions: ["*"]
      effect: EFFECT_ALLOW
      roles:
        - superUser

    - actions: ["*"]
      effect: EFFECT_DENY
      roles: ["*"]
      condition:
        match:
          expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"

    - actions: [ "*" ]
      effect: EFFECT_ALLOW
      roles: [ "*" ]
      condition:
        match:
          all:
            of:
              - expr: R.attr.email == "<mailto:secret@gmail.com|secret@gmail.com>"
              - none:
                  of:
                    - expr: P.attr.clearance == "TopSecret"
                    - expr: P.role == "SuperUser" # Does something like this exists?

Andrew Haines (Cerbos)

05/10/2023, 9:23 AM

Principal policies only work for a specific principal ID (not a whole role). You could probably define a derived role like this

Copy code

apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: common
  definitions:
    - name: notSuperUser
      parentRoles:
        - foo
        - bar
        - every role that isn't superUser...

Alex Ermolin

05/10/2023, 9:25 AM

That's a good idea, thanks!

Andrew Haines (Cerbos)

05/10/2023, 9:26 AM

No problem 🙂

9 Views

Open in Slack

Previous Next