Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

quick question - with a principal policy, there's a value for `principalPolicy.principal` . how is this reference? is it in a derived role?

Principal policies allow overrides to specific principals. The `principalPolicy.principal` matches the requests’ `principal.id`.

btw is this documented in your docs anywhere i.e. that principalPolicy.principal matches requests' principal.id ?

We have a section for the <https://docs.cerbos.dev/cerbos/latest/tutorial/07_principal-policies|principal policies> in the docs

"With this policy in place, when an authorization check is made with the principal ID of `dpo1` the delete action on a `contact` resource is overridden to be allowed." - it wasn't immediately obvious to me that `principal ID` refers to the requests' principal.id field. but thanks for pointing that out!

Yes, it is not obvious, some clarification on that part would be nice. Thanks for mentioning.