https://cerbos.dev logo
#help
Title
# help
j

Jamie

07/04/2023, 11:26 AM
I'm looking to implement Cerbos for a User -> Role -> Tenant -> Tier -> Feature relationship model and would instinctively reach for a composite Principal (of User/Tenant) to establish if a User can access a Feature in the Tenant context but that doesn't seem to exist. Can anyone point me in the direction of how I would implement this model with existing features?
a

Andrew Haines (Cerbos)

07/04/2023, 11:31 AM
Hi Jamie, you can include whatever data you need in the principal's
attr
field, so you could have a
tenant
attribute if you want.
j

Jamie

07/04/2023, 11:33 AM
I considered this but would want to reference the Tenant's Tier to determine which Features it has access to. To do that, the Tenant would need to be a Principal in it's own right and I would need to dynamically reference the Tenant Principal based up the
tenant
attribute. Is that possible?
a

Andrew Haines (Cerbos)

07/04/2023, 11:39 AM
I'm not quite clear on what you mean by dynamically referencing the tenant principal. It sounds like you could be doing that by including the tier within the
tenant
attribute, and referencing
request.principal.attr.tenant.tier
in the feature resource policy?
j

Jamie

07/04/2023, 11:45 AM
In that case I would need to duplicate the Tenant data for every User that has access to it. If I wanted to update the Tenant data I would need to scan the User principals to check
request.principal.attr.tenant.id
and update accordingly which is not viable at scale. Thanks for your help, it doesn't seem like my use-case is covered without having to make two distinct check calls.
a

Andrew Haines (Cerbos)

07/04/2023, 11:50 AM
No problem, if you get it modelled with separate calls and want to drop us a playground link we can take a look and see if it could be combined somehow.
2 Views