I'm looking to implement Cerbos for a User -> Role -> Tenant -> Tier -> Feature relationship model and would instinctively reach for a composite Principal (of User/Tenant) to establish if a User can access a Feature in the Tenant context but that doesn't seem to exist. Can anyone point me in the direction of how I would implement this model with existing features?

Hi Jamie, you can include whatever data you need in the principal's

attr

field, so you could have a

tenant

attribute if you want.

I considered this but would want to reference the Tenant's Tier to determine which Features it has access to. To do that, the Tenant would need to be a Principal in it's own right and I would need to dynamically reference the Tenant Principal based up the

tenant

attribute. Is that possible?

I'm not quite clear on what you mean by dynamically referencing the tenant principal. It sounds like you could be doing that by including the tier within the

tenant

attribute, and referencing

request.principal.attr.tenant.tier

in the feature resource policy?

In that case I would need to duplicate the Tenant data for every User that has access to it. If I wanted to update the Tenant data I would need to scan the User principals to check

request.principal.attr.tenant.id

and update accordingly which is not viable at scale. Thanks for your help, it doesn't seem like my use-case is covered without having to make two distinct check calls.

No problem, if you get it modelled with separate calls and want to drop us a playground link we can take a look and see if it could be combined somehow.