Botros Toro
08/16/2023, 9:39 AMCharith (Cerbos)
id:view
, name:edit
etc.) Because Cerbos supports hierarchical wildcards for actions, you can write rules like *:view
to grant view on all fields or id:*
to grant all on the ID field and so on. This is probably how I would model it.
• If you only have a small set of fields to secure, you can have a single rule targeting an action like view
and then write a condition that checks the principal role and the field being accessed. This is probably not very maintainable if you add more fields later on.
• If you only need to protect certain fields, use scoped policies where the scope is the field name. Coupled with lenient scope search you can write a single policy targeting all of your fields and then override the rules for some of them by adding a scoped policy for those fields.Botros Toro
08/16/2023, 12:10 PM