Are there any examples of fine grained resource outputs? I would like to have two roles that have access to view a resource, but only to a certain field: Document • id • name • created_at • secret_data Admin can view Documents for all fields Manager can view Documents, but only id, name, and created_at “For example, in an HR application, a resource can be as coarse-grained as a full employee record or as fine-grained as a single field in the record.” https://docs.cerbos.dev/cerbos/latest/policies/resource_policies

I don't think we have a specific example but here's a general guide for policy modelling approaches that you might find useful: https://docs.cerbos.dev/cerbos/latest/policies/best_practices Basically, you can choose to model this in a couple of different ways. • Have a resource policy per field: this is a bit extreme but that's what the docs mean by "...as fine-grained as a single field in the record" • Use a single resource policy but prefix your actions with the field name (

id:view

,

name:edit

etc.) Because Cerbos supports hierarchical wildcards for actions, you can write rules like

*:view

to grant view on all fields or

id:*

to grant all on the ID field and so on. This is probably how I would model it. • If you only have a small set of fields to secure, you can have a single rule targeting an action like

view

and then write a condition that checks the principal role and the field being accessed. This is probably not very maintainable if you add more fields later on. • If you only need to protect certain fields, use scoped policies where the scope is the field name. Coupled with lenient scope search you can write a single policy targeting all of your fields and then override the rules for some of them by adding a scoped policy for those fields.

Thank you @Charith (Cerbos), I can work with this.