https://cerbos.dev logo
#help
Title
# help
b

Botros Toro

08/16/2023, 9:39 AM
Are there any examples of fine grained resource outputs? I would like to have two roles that have access to view a resource, but only to a certain field: Document • id • name • created_at • secret_data Admin can view Documents for all fields Manager can view Documents, but only id, name, and created_at “For example, in an HR application, a resource can be as coarse-grained as a full employee record or as fine-grained as a single field in the record.” https://docs.cerbos.dev/cerbos/latest/policies/resource_policies
c

Charith (Cerbos)

08/16/2023, 10:25 AM
I don't think we have a specific example but here's a general guide for policy modelling approaches that you might find useful: https://docs.cerbos.dev/cerbos/latest/policies/best_practices Basically, you can choose to model this in a couple of different ways. • Have a resource policy per field: this is a bit extreme but that's what the docs mean by "...as fine-grained as a single field in the record" • Use a single resource policy but prefix your actions with the field name (
id:view
,
name:edit
etc.) Because Cerbos supports hierarchical wildcards for actions, you can write rules like
*:view
to grant view on all fields or
id:*
to grant all on the ID field and so on. This is probably how I would model it. • If you only have a small set of fields to secure, you can have a single rule targeting an action like
view
and then write a condition that checks the principal role and the field being accessed. This is probably not very maintainable if you add more fields later on. • If you only need to protect certain fields, use scoped policies where the scope is the field name. Coupled with lenient scope search you can write a single policy targeting all of your fields and then override the rules for some of them by adding a scoped policy for those fields.
b

Botros Toro

08/16/2023, 12:10 PM
Thank you @Charith (Cerbos), I can work with this.
2 Views