Jesum Yip
08/11/2023, 8:05 AMapiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: invict_triage
importDerivedRoles:
- avengers_global_users
rules:
- actions:
- subscribed
effect: EFFECT_ALLOW
derivedRoles:
- avengers_invict_user
condition:
match:
expr: request.resource.attr.data_org_id == "blablabla"
what's a clean way to add actions READ and actions WRITE permissions to the resource invict_triage
for this specific derivedRole WITHOUT modifying the YAML above?Jesum Yip
08/11/2023, 8:07 AMJesum Yip
08/11/2023, 8:07 AMAndrew Haines (Cerbos)
Jesum Yip
08/11/2023, 8:13 AMJesum Yip
08/11/2023, 8:14 AMJesum Yip
08/11/2023, 8:16 AMJesum Yip
08/11/2023, 8:16 AMJesum Yip
08/11/2023, 8:17 AMAndrew Haines (Cerbos)
Jesum Yip
08/11/2023, 8:18 AMAndrew Haines (Cerbos)
rules
for read/write rather than having to merge into the existing rule.Jesum Yip
08/11/2023, 8:23 AMapiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: invict_triage
importDerivedRoles:
- avengers_global_users
rules:
- actions:
- subscribed
effect: EFFECT_ALLOW
derivedRoles:
- avengers_invict_user
condition:
match:
expr: request.resource.attr.data_org_id == "blablabla"
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: invict_triage
scope: "custom"
importDerivedRoles:
- avengers_global_users
rules:
- actions:
- read
- write
effect: EFFECT_ALLOW
derivedRoles:
- avengers_invict_user
condition:
match:
expr: request.resource.attr.data_org_id == "blablabla"
i just need to make sure EVERY API call to Cerbos has a resource scope of "custom"Jesum Yip
08/11/2023, 8:25 AMJesum Yip
08/11/2023, 8:25 AMAndrew Haines (Cerbos)