Botros Toro08/16/2023, 9:39 AM
etc.) Because Cerbos supports hierarchical wildcards for actions, you can write rules like
to grant view on all fields or
to grant all on the ID field and so on. This is probably how I would model it.
• If you only have a small set of fields to secure, you can have a single rule targeting an action like
and then write a condition that checks the principal role and the field being accessed. This is probably not very maintainable if you add more fields later on.
• If you only need to protect certain fields, use scoped policies where the scope is the field name. Coupled with lenient scope search you can write a single policy targeting all of your fields and then override the rules for some of them by adding a scoped policy for those fields.
Botros Toro08/16/2023, 12:10 PM