David Nilsdotter

05/11/2023, 7:59 AM
Hi Cerbos team. Is it possible to send in attributes for all associated projects? Say that a user is associated with 3 different projects. The user has different roles in different projects. Can I send the complete project state in the principal attributes, and then check if the principal has access to a resource based on the parent project of the resource? For example:
  id: 'john',
  attr: {
    projects: [{id: 1, role: 'user'},{id: 2, role: 'manager'},{id: 3, role: 'owner'}]
with a resource like
  "kind": "file",
  "attr": {
    "parentProjectId": 1,
    "name": "taxes.txt",
    "createdAt": "2023-05-011T10:00:00.021-05:00"
and then create a derived role like

    - name: project_owner
          expr: <check if the role is 'owner' in the element of P.attr.projects with the id matching the R.attr.parentProjectId>
Is it possible to write such a match-string? I know I can single out the project before sending the check, but if I can send the whole project state of a user (that rarely changes) it would be preferred.

Charith (Cerbos)

05/11/2023, 8:07 AM
Yes, of course, you can do that. The only thing to be conscious of is that if the set of projects for a user is very large (hundreds or thousands) you'll be sending a large request to Cerbos every time you do a check. That might have some overhead. Otherwise, it's perfectly fine.

David Nilsdotter

05/11/2023, 9:07 AM
Thanks. We are not working with such large data sets per user. At most we are discussing up to 10-20 projects for a single user.