does a principal policy always override a resource...
# help
does a principal policy always override a resource policy?
based on my testing it looks like it doesn't??? a principal policy is OR-ed with a resource policy? is there a way to make it override?
i have a resource policy with derived roles and a single condition. i have also have a principal policy for a user who is inside that derived role. it appears the principal policy gets OR-ed against the resource policy. i was expecting the principal policy to always TRUMP all other policies.
i have a cerbos playground URL that demonstrates this
Principal policy does take precedence over resource policy IF there is a principal policy matching the principal ID
for what it's worth, it looks like cerbos is matching principal ID and conditions in the principal policy to see if it has an explicit EFFECT_ALLOW or EFFECT_DENY. if it cannot find an explicit match, it will ignore the principal policy.
Copy code
    - resource: "*"
        - action: read
                  - expr: R.kind == "123"
                  - expr: R.attr.data_org_id == "456"
          effect: EFFECT_ALLOW
so putting something like the above means if you submit a request with a resource.kind = "xxxx", it would not match the principal policy above. it would only match if your resource.kind = "123".
i was hoping for a solution where user-x is only allowed to access resource.kind = "123" and all other resource.kind values would result in EFFECT_DENY.
guess that explains why the negative condition works for the outcome i want. i.e.
expr: R.kind != "123"
Yeah exactly, if no rule matches in the original policy then we fall through to the resource policy, so in your case you'll definitely need a rule with
and a condition like
R.kind != "123"