< Dennis Cerbos > do you have a few minutes for me to get yo Cerbos Community #help

<@U02D2JSV745> do you have a few minutes for me to...

Andrew Young

07/17/2023, 11:11 PM

@Dennis (Cerbos) do you have a few minutes for me to get your opinion on a use case? We have a requirement for user-defined "groups" where users assigned to the group all inherit the same permissions at the group level. I was originally thinking that derived roles would be a good fit but after further analysis does not appear to be an optimal approach because of the custom nature of these groups. There would be an unbounded and dynamic number of these groups and it would be very cumbersome to import X number of derived roles into a Resource Policy. Do you have any experience with this use case in Cerbos?

Dennis (Cerbos)

07/17/2023, 11:31 PM

Do the policy conditions mention these groups explicitly? An example might help.

Andrew Young

07/17/2023, 11:37 PM

Example: • Group

Server Admins for abc

◦ Allows action 1 & 2 ◦ Resource

servers

◦ Condition

tenant == abc

• Group

Server Admins for xyz

◦ Allows action 1 & 3 ◦ Resource

servers

◦ Condition

tenant == xyz

User A is added to group

Server Admins for abc

User B is added to group

Server Admins for xyz

User C is added to both groups.

Andrew Young

07/17/2023, 11:38 PM

These groups are user-defined groups. So our end users can create as many of these as they need

Dennis (Cerbos)

07/17/2023, 11:40 PM

One question.

Server Admin

is a group. What is

Server Admin for xyz

Andrew Young

07/17/2023, 11:41 PM

sorry, i edited the example. had a typo in there.

Dennis (Cerbos)

07/17/2023, 11:45 PM

Is condition always like that (

tenant == x

) or it can be defined by the user?

Andrew Young

07/17/2023, 11:47 PM

no. it can be whatever the user would like.

Dennis (Cerbos)

07/17/2023, 11:49 PM

Is the group itself unbounded?

Andrew Young

07/17/2023, 11:49 PM

meaning, you can add variable number of users to the group?

Dennis (Cerbos)

07/17/2023, 11:50 PM

yes, unbounded number of users

Andrew Young

07/17/2023, 11:50 PM

yes

Dennis (Cerbos)

07/17/2023, 11:55 PM

I think for each tenant you can have a policy scope. A group then is basically a role.

Andrew Young

07/17/2023, 11:57 PM

that won't work if condition is

tenant == foo || tenant == bar

Dennis (Cerbos)

07/17/2023, 11:59 PM

I thought it is a tenant who creates these groups, conditions and assigns users to the groups.

Andrew Young

07/18/2023, 12:01 AM

Customers (user) would manage these groups.

Andrew Young

07/18/2023, 12:01 AM

user may have access to multiple tenants.

Dennis (Cerbos)

07/18/2023, 12:03 AM

Who is a tenant? Another type of user?

Andrew Young

07/18/2023, 12:05 AM

a tenant could be a company or some other organizational entity but it is not a user.

Dennis (Cerbos)

07/18/2023, 12:07 AM

Okay. In this case a customer can be given a separate scope. A customer then assigns users to groups. The groups can be roles from Cerbos perspective.

Dennis (Cerbos)

07/18/2023, 12:08 AM

I presume you use Postgres and can use admin API to create policies.

Andrew Young

07/18/2023, 12:10 AM

ah ok thanks. let me think on this.

Andrew Young

07/18/2023, 12:18 AM

so if the group (role) can access two resources

servers

and

network

, then I would need to write two Resource Policies for that one group right?

Dennis (Cerbos)

07/18/2023, 12:19 AM

yes

Andrew Young

07/18/2023, 12:20 AM

k. got it. thank you.

3 Views

Open in Slack

Previous Next