what's an easy way to say Principal-XXX has access...
# helpj
Jesum Yip
08/17/2023, 6:40 AMwhat's an easy way to say Principal-XXX has access to resource-Y and NO ACCESS to ALL OTHER RESOURCES?
Jesum Yip
08/17/2023, 6:41 AMi can craft a principal policy but i cannot put
rules.resource: "*"Jesum Yip
08/17/2023, 6:41 AMbecause that would override
rules.resource: "resource-Y"Jesum Yip
08/17/2023, 6:42 AMi also have a resource policy for resource-Y. but that resource policy currently grants access to a derivedRole. and it just so happens that Principal-XXX is a part of that derivedRole.
Jesum Yip
08/17/2023, 6:42 AMwhich is great right? except there's also resource-X and resource-Z and the derivedRole also has access to these.
d
Dennis (Cerbos)
08/17/2023, 6:48 AM
You can have a principal policy for
rules.resource: "*"EFFECT_ALLOWR.kind == "resource-Y"j
Jesum Yip
08/17/2023, 6:49 AMAaaaah! Didn't know you could do that
Jesum Yip
08/17/2023, 6:49 AMYes, that would work
Jesum Yip
08/18/2023, 7:15 AMbtw it turned out to be the other way around
Jesum Yip
08/18/2023, 7:16 AM Copy code
apiVersion: "api.cerbos.dev/v1"
principalPolicy:
principal: "principal-id"
rules:
- resource: "*"
actions:
- action: read
condition:
match:
expr: R.kind != "the_resource_that_user_should_have_access_to"
effect: EFFECT_DENYJesum Yip
08/18/2023, 7:17 AMif i did it the way you suggested in the first place, it wouldn't work. it would always result in EFFECT_ALLOW. just a little update to my use case. 🙂
2 Views