Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Screenshot 2023-06-21 at 11.55.06 AM.png

Hi, I have a use case where only team admins can remove users from the team, and the way a team admin is defined in our system is not via an intrinsic user property that assigns them their role, but via a table that relates users with teams and a role, as a user can belong to many teams and have a different role in each one. Does it make sense for me to pass all of the user's teams in the payload of `isAllowed`  as part of the principal's attributes and treating the team itself as the resource, to check in a derived role condition if the team's id is present in the teams array with a role of "Admin"?

so in the example above I would check in a derived role condition if the resource's id is present in the principal's attributes.teams array with a role of "Admin" to assign them a derived role that allows for the REMOVE_USERS action

Hey yes that is how I would suggest modeling it - very similar to this example  <https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5>

Ok thanks! Good to know I was on the right track