https://cerbos.dev logo
#help
Title
# help
a

Andrew Young

07/17/2023, 11:11 PM
@Dennis (Cerbos) do you have a few minutes for me to get your opinion on a use case? We have a requirement for user-defined "groups" where users assigned to the group all inherit the same permissions at the group level. I was originally thinking that derived roles would be a good fit but after further analysis does not appear to be an optimal approach because of the custom nature of these groups. There would be an unbounded and dynamic number of these groups and it would be very cumbersome to import X number of derived roles into a Resource Policy. Do you have any experience with this use case in Cerbos?
d

Dennis (Cerbos)

07/17/2023, 11:31 PM
Do the policy conditions mention these groups explicitly? An example might help.
a

Andrew Young

07/17/2023, 11:37 PM
Example: • Group
Server Admins for abc
◦ Allows action 1 & 2 ◦ Resource
servers
◦ Condition
tenant == abc
• Group
Server Admins for xyz
◦ Allows action 1 & 3 ◦ Resource
servers
◦ Condition
tenant == xyz
User A is added to group
Server Admins for abc
User B is added to group
Server Admins for xyz
User C is added to both groups.
These groups are user-defined groups. So our end users can create as many of these as they need
d

Dennis (Cerbos)

07/17/2023, 11:40 PM
One question.
Server Admin
is a group. What is
Server Admin for xyz
?
a

Andrew Young

07/17/2023, 11:41 PM
sorry, i edited the example. had a typo in there.
d

Dennis (Cerbos)

07/17/2023, 11:45 PM
Is condition always like that (
tenant == x
) or it can be defined by the user?
a

Andrew Young

07/17/2023, 11:47 PM
no. it can be whatever the user would like.
d

Dennis (Cerbos)

07/17/2023, 11:49 PM
Is the group itself unbounded?
a

Andrew Young

07/17/2023, 11:49 PM
meaning, you can add variable number of users to the group?
d

Dennis (Cerbos)

07/17/2023, 11:50 PM
yes, unbounded number of users
a

Andrew Young

07/17/2023, 11:50 PM
yes
d

Dennis (Cerbos)

07/17/2023, 11:55 PM
I think for each tenant you can have a policy scope. A group then is basically a role.
a

Andrew Young

07/17/2023, 11:57 PM
that won't work if condition is
tenant == foo || tenant == bar
d

Dennis (Cerbos)

07/17/2023, 11:59 PM
I thought it is a tenant who creates these groups, conditions and assigns users to the groups.
a

Andrew Young

07/18/2023, 12:01 AM
Customers (user) would manage these groups.
user may have access to multiple tenants.
d

Dennis (Cerbos)

07/18/2023, 12:03 AM
Who is a tenant? Another type of user?
a

Andrew Young

07/18/2023, 12:05 AM
a tenant could be a company or some other organizational entity but it is not a user.
d

Dennis (Cerbos)

07/18/2023, 12:07 AM
Okay. In this case a customer can be given a separate scope. A customer then assigns users to groups. The groups can be roles from Cerbos perspective.
I presume you use Postgres and can use admin API to create policies.
a

Andrew Young

07/18/2023, 12:10 AM
ah ok thanks. let me think on this.
so if the group (role) can access two resources
servers
and
network
, then I would need to write two Resource Policies for that one group right?
d

Dennis (Cerbos)

07/18/2023, 12:19 AM
yes
a

Andrew Young

07/18/2023, 12:20 AM
k. got it. thank you.
3 Views