Hello team Cerbos 🙂 I have been exploring and testing for the last two weeks.
With the preface that I am not experienced with access control:
The API request seems to require the ID of the resource. What about situations where there is not yet a resource ID? e.g. creating a new object - once it is created it will have an id, but not before. If my logic is right, then why is this a required field, and is there a workaround necessary? (i.e. put in a random number so it satisfies that requirement to exist)
08/15/2023, 12:15 AM
For newly created resources the resource ID can be a random or even a static value. If you don’t refer to the resource ID in the policies’ conditions, you will see it only in the audit logs. Cerbos doesn’t keep track of them otherwise.
08/15/2023, 12:18 AM
Thank you @Dennis (Cerbos)
Can I offer suggestion then that this field is made optional in the API call 🙂
08/15/2023, 12:23 AM
Fair enough. It is a bit inconvenient when there’s no ID, but we’re forcing to provide IDs when there are IDs. This decision pays off later in the application lifecycle when audit logs become critical.
Sorry, I can’t find a reference to a relevant discussion now.