Are there any examples of fine grained resource ou...
# help
Are there any examples of fine grained resource outputs? I would like to have two roles that have access to view a resource, but only to a certain field: Document • id • name • created_at • secret_data Admin can view Documents for all fields Manager can view Documents, but only id, name, and created_at “For example, in an HR application, a resource can be as coarse-grained as a full employee record or as fine-grained as a single field in the record.”
I don't think we have a specific example but here's a general guide for policy modelling approaches that you might find useful: Basically, you can choose to model this in a couple of different ways. • Have a resource policy per field: this is a bit extreme but that's what the docs mean by " fine-grained as a single field in the record" • Use a single resource policy but prefix your actions with the field name (
etc.) Because Cerbos supports hierarchical wildcards for actions, you can write rules like
to grant view on all fields or
to grant all on the ID field and so on. This is probably how I would model it. • If you only have a small set of fields to secure, you can have a single rule targeting an action like
and then write a condition that checks the principal role and the field being accessed. This is probably not very maintainable if you add more fields later on. • If you only need to protect certain fields, use scoped policies where the scope is the field name. Coupled with lenient scope search you can write a single policy targeting all of your fields and then override the rules for some of them by adding a scoped policy for those fields.
Thank you @Charith (Cerbos), I can work with this.