Denys Andriyanov
06/22/2023, 12:21 PM---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: "default"
# Importing `identity_roles` in so they can be used in the resource policy.
importDerivedRoles:
- identity_roles
# This resource file is reviewed for when checking permissions when a resource
# is of `kind` "user_request"
resource: user_request
rules:
# If the `principal`s role is `admin` then all the actions are allowed.
- actions: [ "*" ]
roles:
- root
effect: EFFECT_ALLOW
# A `admin_that_owns_the_tenant` can only access `user_request` that belong to resources in
# their tenant,
- actions: [ "*" ]
roles:
- admin
effect: EFFECT_ALLOW
condition:
match:
expr: request.resource.attr.tenant == request.principal.tenant
getting
"error":"failed to get check for [user_requ
est.default]: policy compilation error: 1 compilation errors\nresource user request.yaml Invalid expression in resource rule 'rule-002' (failed to compile
request.resource.attr.tenant == request.principal.tenant
[undefined field 'tenant'])"}