Pieter Slabbert
06/22/2023, 10:50 AMrecipient:view
is allowed, everything else denied), then I added a scope to the principal and it still works, but the moment I add a scope to the resource everything gets denied.
As I understood scope since there isn’t a policy with the scope it should fall back to the default no scope policy, but it doesn’t look like that is happening here.Charith (Cerbos)
a.b
, there must exist a policy file with scope a.b
(which could be a bare one without any rules).
The reason why your request worked when you set the principal scope is because principal policies are optional. If there's no principal policy matching the request, Cerbos falls back to the resource policy.
Hope that makes sense.Pieter Slabbert
06/22/2023, 11:19 AMCharith (Cerbos)
Alex Olivier (Cerbos)
Pieter Slabbert
07/03/2023, 11:20 AM