https://cerbos.dev logo
#help
Title
# help
j

Jesum Yip

08/18/2023, 1:03 PM
does a principal policy always override a resource policy?
based on my testing it looks like it doesn't??? a principal policy is OR-ed with a resource policy? is there a way to make it override?
i have a resource policy with derived roles and a single condition. i have also have a principal policy for a user who is inside that derived role. it appears the principal policy gets OR-ed against the resource policy. i was expecting the principal policy to always TRUMP all other policies.
i have a cerbos playground URL that demonstrates this
c

Charith (Cerbos)

08/18/2023, 1:09 PM
Principal policy does take precedence over resource policy IF there is a principal policy matching the principal ID
j

Jesum Yip

08/18/2023, 1:33 PM
for what it's worth, it looks like cerbos is matching principal ID and conditions in the principal policy to see if it has an explicit EFFECT_ALLOW or EFFECT_DENY. if it cannot find an explicit match, it will ignore the principal policy.
Copy code
rules:
    - resource: "*"
      actions:
        - action: read
          condition:
            match:
              all:
                of:
                  - expr: R.kind == "123"
                  - expr: R.attr.data_org_id == "456"
          effect: EFFECT_ALLOW
so putting something like the above means if you submit a request with a resource.kind = "xxxx", it would not match the principal policy above. it would only match if your resource.kind = "123".
i was hoping for a solution where user-x is only allowed to access resource.kind = "123" and all other resource.kind values would result in EFFECT_DENY.
guess that explains why the negative condition works for the outcome i want. i.e.
expr: R.kind != "123"
works.
a

Andrew Haines (Cerbos)

08/18/2023, 3:52 PM
Yeah exactly, if no rule matches in the original policy then we fall through to the resource policy, so in your case you'll definitely need a rule with
EFFECT_DENY
and a condition like
R.kind != "123"
.
3 Views