https://cerbos.dev logo
#help
Title
# help
a

Andrew Young

07/11/2023, 8:09 PM
If we have resources that all have similar rules for authorization, should I just create a single Resource Policy that can apply to all resources of that type? or is it better to have a Resource Policy per resource instance (id)?
a

Alex Olivier (Cerbos)

07/11/2023, 8:42 PM
Hey! Resources policies are designed to have a single policy for each
kind
of resource in your system rather than each instance/id
You pass in the unique attributes of a resource in the request to Cerbos and then use that data to make decisions in conditions that are resource specific
a

Andrew Young

07/11/2023, 9:17 PM
thanks. does this also apply to Principal Policies?
i notice the examples for Principal Policies are specific to Daffy Duck, which makes me think that they are instance specific
a

Alex Olivier (Cerbos)

07/11/2023, 9:19 PM
Principal policies are a bit of an exception for a rule - designed for the use case when a specific principal ID needs special access (eg auditor, SRE etc) - this policy then overrides all other policies when the principal ID matches. In most systems there are very few (mostly none) of these.
a

Andrew Young

07/11/2023, 9:21 PM
ok so should we try to stay away from Principal Policies if it can be solved more generally with a Resource Policy?
a

Alex Olivier (Cerbos)

07/11/2023, 9:27 PM
Yes that is recommended
If you haven't seen it yet, our playground has some examples https://play.cerbos.dev/
a

Andrew Young

07/11/2023, 9:28 PM
yes, i'm on it now 🙂 thanks.
@Alex Olivier (Cerbos) we have a need for customers to be able to create custom policies much like is done in AWS's IAM. How would we go about doing this w/ Cerbos?
its kind of limiting if Resource Policies are per
kind
.
c

Charith (Cerbos)

07/12/2023, 5:23 AM
Hey, you can have resource policies per instance if that's what you really want. We generally recommend writing policies for a whole class of resources (the resource
kind
) because that keeps things tidy and reduces the number of policies you have to deal with. If you want your tenants to create policies, the best way to do that would be through scoped policies.
a

Andrew Young

07/12/2023, 4:11 PM
thanks @Charith (Cerbos). so what we need to do is to provide authorization to API Clients (as in OAuth2 clients). These clients would be our Principals. And we need to have our customers be able to customize the authorization policies for each client. Not sure how you would solve this with scoped policies but I was thinking that we would instead use Principal Policies -- one for each API Client.
c

Charith (Cerbos)

07/12/2023, 4:43 PM
Ah I see. I suppose you could use the client ID as the scope name if you want to use scoped policies. However, principal policies sound like the better choice here.