Roman Levytskyi
07/20/2023, 8:54 AMAndrew Haines (Cerbos)
resource.${resource}.v${version}/${scope}
, like resource.document.v1/acme
.
If you change these "header" fields that form the unique identifier, you get a new policy (even if the "body" is the same) and that means an add operation. Changing only the "body" of the policy means the unique identifier is the same and it's an update.
As for why they're one operation, it's because the update is a PUT not a PATCH; the policy you send is the full definition. This is usually a bit easier to work with because in most cases you don't care if the policy already exists in the store - you want to set this new definition regardless.
So I think for your get>modify>update process, it should be fine as long as you don't modify those "header" fields.Roman Levytskyi
07/20/2023, 9:13 AM