is it possible for a person to have multiple deriv...
# help
is it possible for a person to have multiple derived roles?
like a global role of - "featureXSubscribed" and an additional role of "roleAWithinFeatureX" ?
and someone else would have "featureXSubscribed" with an additional role of "roleBWithinFeatureX"
i mean i could create 2 roles featureXSubscribedRoleA featureXSubscribedRoleB
but that can quickly grow....
If multiple derived roles match then that request would have multiple derived roles associated with it
oh ok! so when i am writing a resource policy, can i have an expr that accesses the derivedrole? like a P.attr.derivedRole or P.derivedRole?
actually, nevermind. let me go experiment a bit 🙂
The derived roles for the principal are not accessible from within the condition blocks, unfortunately.
turns out the multiple derived roles capability addressed my use case. i'm a happy cow. 🙂