Jesum Yip
08/24/2023, 4:06 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:08 AMmatch:
all:
of:
- expr: P.id in ["xxxxxxxxxx"]
- any:
of:
- all:
of:
- expr: has(request.aux_data.jwt.aud)
- any:
of:
- expr: >
"myaud" in request.aux_data.jwt.aud
- expr: (request.aux_data.jwt.aud == "myaud")
- expr: has(request.aux_data.jwt.org_info)
- expr: has(request.aux_data.jwt.org_info.default_org_id)
- expr: has(request.aux_data.jwt.org_info.orgs)
- expr: type(request.aux_data.jwt.org_info.orgs) == list
- expr: >
request.aux_data.jwt.org_info.default_org_id == "org_id"
- any:
of:
- expr: request.principal.attr.surrogate_org_id == ""
- expr: has(request.principal.attr.surrogate_org_id) == false
- expr: request.principal.attr.surrogate_org_id == null
# The next section guarantees that the user is a Avengers surrogate user
- all:
of:
- expr: has(request.aux_data.jwt.aud)
- expr: >
("myaud" in request.aux_data.jwt.aud)
- expr: has(request.aux_data.jwt.org_info)
- expr: has(request.aux_data.jwt.org_info.default_org_id)
- expr: has(request.aux_data.jwt.org_info.orgs)
- expr: type(request.aux_data.jwt.org_info.orgs) == list
- expr: has(request.principal.attr.surrogate_org_id)
- expr: >
request.principal.attr.surrogate_org_id == "org_id"
- expr: >
request.aux_data.jwt.org_info.orgs.exists_one(t, t.org_id == "org_id")
Jesum Yip
08/24/2023, 4:09 AMapiVersion: api.cerbos.dev/v1
description: Common variables used within the Apatr app
exportVariables:
name: apatr_common_variables
definitions:
super_var:
match:
all:
of:
- expr: P.id in ["xxxxxxxxxx"]
- any:
of:
- all:
of:
- expr: has(request.aux_data.jwt.aud)
- any:
of:
- expr: >
"myaud" in request.aux_data.jwt.aud
- expr: (request.aux_data.jwt.aud == "myaud")
- expr: has(request.aux_data.jwt.org_info)
- expr: has(request.aux_data.jwt.org_info.default_org_id)
- expr: has(request.aux_data.jwt.org_info.orgs)
- expr: type(request.aux_data.jwt.org_info.orgs) == list
- expr: >
request.aux_data.jwt.org_info.default_org_id == "org_id"
- any:
of:
- expr: request.principal.attr.surrogate_org_id == ""
- expr: has(request.principal.attr.surrogate_org_id) == false
- expr: request.principal.attr.surrogate_org_id == null
# The next section guarantees that the user is a Avengers surrogate user
- all:
of:
- expr: has(request.aux_data.jwt.aud)
- expr: >
("myaud" in request.aux_data.jwt.aud)
- expr: has(request.aux_data.jwt.org_info)
- expr: has(request.aux_data.jwt.org_info.default_org_id)
- expr: has(request.aux_data.jwt.org_info.orgs)
- expr: type(request.aux_data.jwt.org_info.orgs) == list
- expr: has(request.principal.attr.surrogate_org_id)
- expr: >
request.principal.attr.surrogate_org_id == "org_id"
- expr: >
request.aux_data.jwt.org_info.orgs.exists_one(t, t.org_id == "org_id")
Jesum Yip
08/24/2023, 4:10 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:10 AMexpr
Dennis (Cerbos)
Jesum Yip
08/24/2023, 4:11 AMmatch.any.of
etcJesum Yip
08/24/2023, 4:11 AMmatch.all.of
..... ok. i'll try that. thanks!Dennis (Cerbos)
Jesum Yip
08/24/2023, 4:13 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:15 AMJesum Yip
08/24/2023, 4:15 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:17 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:18 AMJesum Yip
08/24/2023, 4:18 AMJesum Yip
08/24/2023, 4:18 AMJesum Yip
08/24/2023, 4:19 AMJesum Yip
08/24/2023, 4:20 AMJesum Yip
08/24/2023, 4:21 AMJesum Yip
08/24/2023, 4:21 AMJesum Yip
08/24/2023, 4:22 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:26 AMJesum Yip
08/24/2023, 4:26 AMJesum Yip
08/24/2023, 4:29 AMJesum Yip
08/24/2023, 4:32 AMJesum Yip
08/24/2023, 4:32 AMJesum Yip
08/24/2023, 4:33 AMJesum Yip
08/24/2023, 4:33 AMJesum Yip
08/24/2023, 4:33 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:33 AMJesum Yip
08/24/2023, 4:34 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:35 AMJesum Yip
08/24/2023, 4:35 AMJesum Yip
08/24/2023, 4:36 AMapiVersion: "api.cerbos.dev/v1"
description: Global Invicta Roles
derivedRoles:
name: global_invicta_roles
definitions:
- name: invicta_cspm_role
parentRoles: [ "*" ]
condition:
match:
any:
of:
- expr: P.id in ["xxxx"]
- expr: P.derivedRole in ["Auditor"]
Jesum Yip
08/24/2023, 4:36 AMP.derivedRole
Dennis (Cerbos)
Jesum Yip
08/24/2023, 4:37 AM- all:
of:
- expr: has(request.aux_data.jwt.aud)
- any:
of:
- expr: >
"myaud" in request.aux_data.jwt.aud
- expr: (request.aux_data.jwt.aud == "myaud")
- expr: has(request.aux_data.jwt.org_info)
- expr: has(request.aux_data.jwt.org_info.default_org_id)
- expr: has(request.aux_data.jwt.org_info.orgs)
- expr: type(request.aux_data.jwt.org_info.orgs) == list
- expr: >
request.aux_data.jwt.org_info.default_org_id == "Audit Company 1"
- any:
of:
- expr: request.principal.attr.surrogate_org_id == ""
- expr: has(request.principal.attr.surrogate_org_id) == false
- expr: request.principal.attr.surrogate_org_id == null
that's the condition to give "Auditor" roleJesum Yip
08/24/2023, 4:37 AMexpr
Dennis (Cerbos)
expr
won’t give you a nice solution.Jesum Yip
08/24/2023, 4:41 AMJesum Yip
08/24/2023, 4:41 AMP.derivedRole
Dennis (Cerbos)
P.derviedRole
is that it implies there’s a dependency between them. We are thinking about an alternative.Jesum Yip
08/24/2023, 4:43 AMDennis (Cerbos)
Dennis (Cerbos)
Jesum Yip
08/24/2023, 4:48 AMJesum Yip
08/24/2023, 4:48 AMJesum Yip
08/24/2023, 4:49 AMDennis (Cerbos)
Jesum Yip
08/24/2023, 4:50 AMJesum Yip
08/24/2023, 4:50 AMapiVersion: api.cerbos.dev/v1
resourcePolicy:
resource: test_resource
version: development
importDerivedRoles:
- global_invicta_roles
- auditor_global_roles
rules:
- actions:
- read
- subscribed
effect: EFFECT_ALLOW
derivedRoles:
- auditor_role
- invicta_cspm_role
condition:
match:
expr: request.resource.attr.data_org_id == "xxxxxx"
Dennis (Cerbos)
invicta_cspm_role
role?Jesum Yip
08/24/2023, 4:51 AMderivedRoles
is evaluated as an and
condition?Dennis (Cerbos)
derivedRoles:
- auditor_role
- invicta_cspm_role
This means EITHER of these rolesJesum Yip
08/24/2023, 4:51 AMJesum Yip
08/24/2023, 4:51 AMEITHER
/ OR
conditionDennis (Cerbos)
Jesum Yip
08/24/2023, 4:51 AMJesum Yip
08/24/2023, 4:52 AMJesum Yip
08/24/2023, 4:52 AMexpr: request.resource.attr.data_org_id == "xxxxxx"
ensures that the resource is only valid if it is attached to THAT bankJesum Yip
08/24/2023, 4:52 AMexpr: request.resource.attr.data_org_id == "xxxxxx"
wouldn't match for that insurance companyJesum Yip
08/24/2023, 4:53 AMJesum Yip
08/24/2023, 4:53 AMDennis (Cerbos)
if i ever needed the “AND” condition, i would have to write a different derived role policy that combines both auditor and invicta_cspm_roleWe had this idea, but there’s no ETA yet.
Jesum Yip
08/24/2023, 4:56 AM