https://cerbos.dev logo
#help
Title
# help
l

Luis Diaz

05/25/2023, 1:36 PM
Hello guys! Is there some mechanism for role inheritance? For example, say I have 3 policies A, B, C and 3 roles. Role 1 can access policy A, role 2 can access policy B and role 3 can access policy C. What would be the best way of defining a role 4 such that it inherits all the policies of roles 1 and 2 (i.e. A and B, but not C) aside from creating the new role and manually changing my policies? Is this something that could be done with derived roles?
c

Charith (Cerbos)

05/25/2023, 1:46 PM
Hi, what do you mean by "policies" in this context? Are they Cerbos policies? If so, why do you say that Role 1 can only access policy A and so on? Is that something enforced on your application side?
l

Luis Diaz

05/25/2023, 1:49 PM
Sorry I’m getting my language confused. Policies would be rule action sets something along the lines of:
Copy code
- name: PolicyA
  actions:
    - ...
  roles:
    - 1
- name: PolicyB
  actions:
    - ...
  roles:
    - 2
I was wondering if there was a way (within the cerbos conf) for cerbos to recognise that
role = 3
is equivalent to roles 1 and 2 without having to add it everywhere explicitly
c

Charith (Cerbos)

05/25/2023, 1:56 PM
I see. I think you can use derived roles for this. A derived role without any condition is basically an alias for the
parentRoles
. So, you could create a derived role named
1
which has
parentRoles: ["1"]
. Then, when you want to say that role
3
is equal to
1
, change your derived role definition to
parentRoles: ["1", "3"]
.
l

Luis Diaz

05/25/2023, 1:59 PM
ah okay, I hadn’t tested that but I thought that might be the case. I’ll give that a try thank you very much!!
10 Views