Hello guys Is there some mechanism for role inheritance For Cerbos Community #help

Hello guys! Is there some mechanism for role inher...

Luis Diaz

05/25/2023, 1:36 PM

Hello guys! Is there some mechanism for role inheritance? For example, say I have 3 policies A, B, C and 3 roles. Role 1 can access policy A, role 2 can access policy B and role 3 can access policy C. What would be the best way of defining a role 4 such that it inherits all the policies of roles 1 and 2 (i.e. A and B, but not C) aside from creating the new role and manually changing my policies? Is this something that could be done with derived roles?

Charith (Cerbos)

05/25/2023, 1:46 PM

Hi, what do you mean by "policies" in this context? Are they Cerbos policies? If so, why do you say that Role 1 can only access policy A and so on? Is that something enforced on your application side?

Luis Diaz

05/25/2023, 1:49 PM

Sorry I’m getting my language confused. Policies would be rule action sets something along the lines of:

Luis Diaz

05/25/2023, 1:50 PM

Copy code

- name: PolicyA
  actions:
    - ...
  roles:
    - 1
- name: PolicyB
  actions:
    - ...
  roles:
    - 2

Luis Diaz

05/25/2023, 1:51 PM

I was wondering if there was a way (within the cerbos conf) for cerbos to recognise that

role = 3

is equivalent to roles 1 and 2 without having to add it everywhere explicitly

Charith (Cerbos)

05/25/2023, 1:56 PM

I see. I think you can use derived roles for this. A derived role without any condition is basically an alias for the

parentRoles

. So, you could create a derived role named

which has

parentRoles: ["1"]

. Then, when you want to say that role

is equal to

, change your derived role definition to

parentRoles: ["1", "3"]

Luis Diaz

05/25/2023, 1:59 PM

ah okay, I hadn’t tested that but I thought that might be the case. I’ll give that a try thank you very much!!

10 Views

Open in Slack

Previous Next