https://cerbos.dev logo
#help
Title
b

Balwan singh

09/05/2023, 9:00 AM
how to use derived roles policy
j

Jesum Yip

09/05/2023, 9:12 AM
That's easy. Derived roles allow you to create a new role for a principal based on various attributes (usually of the principal). You can then use derived roles in your resource policies.
For example of principal has attribute age of 50, you can create a derived role that checks if principal.attr.age > 65 then assign the derived role of "Ancient warrior" to this person.
😂 1
Then you can write a resource policy where the resource called "golden sword" can only be used by someone of "Ancient warrior"
⚔️ 2
🥷 1
😂 4
A principal can have multiple derived roles attached to him or her
b

Balwan singh

09/05/2023, 9:14 AM
can you send me policy and example
j

Jesum Yip

09/05/2023, 9:15 AM
b

Balwan singh

09/05/2023, 9:16 AM
i see this document already but I don't understand how is work
j

Jesum Yip

09/05/2023, 9:16 AM
What don't you understand exactly?
When you make an API call to cerbos, you submit a JSON payload which has the details of the principal and resource to be accessed. These details are evaluated against the derived role policy and if it matches then that principal gets assigned the necessary derived roles. Then cerbos looks through the resource that the JSON payload says the user is trying to access and checks if this derived role is allowed to access it. If yes then cerbos API returns a result of effect allow.
o

oguzhan

09/05/2023, 9:34 AM
Perfect example! 😆 Playground for the example: https://play.cerbos.dev/p/dSvQh64f6f5cezuCeYFErp1vdRDuu2H5
1
j

Jesum Yip

09/05/2023, 9:36 AM
@oguzhan lol!!!
3 Views