Hey guys it’s me again. Quick architecture question, currently we have an instance of cerbos running as a sidecar for our backend, it controls access to individual endpoints based on roles and attributes from the user session or the resources, but we don’t expose it to the internet.
Now we want to do some access control in our clients so they’re conditionally shown certain parts of the UI. Our UI pages/fragments don’t match 1-to-1 with the permissions we use for the backend, so our first inclination was perhaps to have a second instance of cerbos, this one as a lambda function, that can be accessible by the clients that have different policies that map directly to UI components. Does this sound like a fair approach or is there a different pattern you can recommend?
06/07/2023, 8:46 AM
Hey, that's how I would do it as well. Sounds totally reasonable.
06/07/2023, 8:52 AM
I just built this for my web front end team. Remember one thing. The policy version name is literally a string and you can put anything in there. So it doesn't have to be "production" or "development" or "version" etc. 🙂