https://cerbos.dev logo
#help
Title
# help
n

Norberto Cáceres

06/21/2023, 4:55 PM
Hi, I have a use case where only team admins can remove users from the team, and the way a team admin is defined in our system is not via an intrinsic user property that assigns them their role, but via a table that relates users with teams and a role, as a user can belong to many teams and have a different role in each one. Does it make sense for me to pass all of the user's teams in the payload of
isAllowed
as part of the principal's attributes and treating the team itself as the resource, to check in a derived role condition if the team's id is present in the teams array with a role of "Admin"?
so in the example above I would check in a derived role condition if the resource's id is present in the principal's attributes.teams array with a role of "Admin" to assign them a derived role that allows for the REMOVE_USERS action
a

Alex Olivier (Cerbos)

06/21/2023, 5:00 PM
Hey yes that is how I would suggest modeling it - very similar to this example https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5
n

Norberto Cáceres

06/21/2023, 5:07 PM
Ok thanks! Good to know I was on the right track