https://cerbos.dev logo
#help
Title
# help
j

Jesum Yip

08/17/2023, 6:40 AM
what's an easy way to say Principal-XXX has access to resource-Y and NO ACCESS to ALL OTHER RESOURCES?
i can craft a principal policy but i cannot put
rules.resource: "*"
because that would override
rules.resource: "resource-Y"
i also have a resource policy for resource-Y. but that resource policy currently grants access to a derivedRole. and it just so happens that Principal-XXX is a part of that derivedRole.
which is great right? except there's also resource-X and resource-Z and the derivedRole also has access to these.
d

Dennis (Cerbos)

08/17/2023, 6:48 AM
You can have a principal policy for
rules.resource: "*"
which gives
EFFECT_ALLOW
with condition
R.kind == "resource-Y"
j

Jesum Yip

08/17/2023, 6:49 AM
Aaaaah! Didn't know you could do that
Yes, that would work
btw it turned out to be the other way around
Copy code
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
  principal: "principal-id"
  rules:
    - resource: "*"
      actions:
        - action: read
          condition:
            match:
              expr: R.kind != "the_resource_that_user_should_have_access_to"
          effect: EFFECT_DENY
if i did it the way you suggested in the first place, it wouldn't work. it would always result in EFFECT_ALLOW. just a little update to my use case. 🙂
2 Views