does a principal policy always override a resource...
# helpj
Jesum Yip
08/18/2023, 1:03 PMdoes a principal policy always override a resource policy?
Jesum Yip
08/18/2023, 1:03 PMbased on my testing it looks like it doesn't??? a principal policy is OR-ed with a resource policy? is there a way to make it override?
Jesum Yip
08/18/2023, 1:07 PMi have a resource policy with derived roles and a single condition. i have also have a principal policy for a user who is inside that derived role. it appears the principal policy gets OR-ed against the resource policy. i was expecting the principal policy to always TRUMP all other policies.
Jesum Yip
08/18/2023, 1:09 PMi have a cerbos playground URL that demonstrates this
c
Charith (Cerbos)
08/18/2023, 1:09 PM
Principal policy does take precedence over resource policy IF there is a principal policy matching the principal ID
j
Jesum Yip
08/18/2023, 1:33 PMfor what it's worth, it looks like cerbos is matching principal ID and conditions in the principal policy to see if it has an explicit EFFECT_ALLOW or EFFECT_DENY. if it cannot find an explicit match, it will ignore the principal policy.
Copy code
rules:
- resource: "*"
actions:
- action: read
condition:
match:
all:
of:
- expr: R.kind == "123"
- expr: R.attr.data_org_id == "456"
effect: EFFECT_ALLOWJesum Yip
08/18/2023, 1:34 PMi was hoping for a solution where user-x is only allowed to access resource.kind = "123" and all other resource.kind values would result in EFFECT_DENY.
Jesum Yip
08/18/2023, 1:37 PMguess that explains why the negative condition works for the outcome i want. i.e.
expr: R.kind != "123"a
Andrew Haines (Cerbos)
08/18/2023, 3:52 PM
Yeah exactly, if no rule matches in the original policy then we fall through to the resource policy, so in your case you'll definitely need a rule with
EFFECT_DENYR.kind != "123"3 Views