Hi, I’m trying to understand scoped policies. I have a basic project on the playground https://play.cerbos.dev/p/8J649423cdT2NMSVt3lRjlfpCgFBlzS2 I have a default resource policy that doesn’t have any scope, this needs to apply to all users. I then create a Principal and a Resource on the right hand side of the playground. At first I created both of them without a scope and everything works (

recipient:view

is allowed, everything else denied), then I added a scope to the principal and it still works, but the moment I add a scope to the resource everything gets denied. As I understood scope since there isn’t a policy with the scope it should fall back to the default no scope policy, but it doesn’t look like that is happening here.

Hi. The current version of Cerbos requires a policy file with a given scope to exist in the store. So if you're making a request with the scope set to

a.b

, there must exist a policy file with scope

a.b

(which could be a bare one without any rules). The reason why your request worked when you set the principal scope is because principal policies are optional. If there's no principal policy matching the request, Cerbos falls back to the resource policy. Hope that makes sense.

Ah, makes sense. I added another file with empty rules and that works. A minor thing now is that it looks like the playground only populates actions based on the scope, so when I use the scoped resource it doesn’t show any actions by default, but I can manually add the other actions and it works as expected. I expect this is related to only the most specific scope being evaluated, but this would be nice to all the available actions in the playground

I see. Thanks for reporting. We'll look into it.

Hey @Pieter Slabbert just to let you know we've shipped an update which shows all actions from the entire scope chain in the playground. Hopefully that makes your life a bit easier

Thank you!