#help
Title
b
Balwan singh
09/05/2023, 9:00 AMhow to use derived roles policy
j
Jesum Yip
09/05/2023, 9:12 AMThat's easy. Derived roles allow you to create a new role for a principal based on various attributes (usually of the principal). You can then use derived roles in your resource policies.
For example of principal has attribute age of 50, you can create a derived role that checks if principal.attr.age > 65 then assign the derived role of "Ancient warrior" to this person.
😂 1
Then you can write a resource policy where the resource called "golden sword" can only be used by someone of "Ancient warrior"
⚔️ 2
🥷 1
😂 4
A principal can have multiple derived roles attached to him or her
b
Balwan singh
09/05/2023, 9:14 AMcan you send me policy and example
j
Jesum Yip
09/05/2023, 9:15 AMHave a look here https://docs.cerbos.dev/cerbos/latest/policies/index.html
b
Balwan singh
09/05/2023, 9:16 AMi see this document already but I don't understand how is work
j
Jesum Yip
09/05/2023, 9:16 AMWhat don't you understand exactly?
When you make an API call to cerbos, you submit a JSON payload which has the details of the principal and resource to be accessed. These details are evaluated against the derived role policy and if it matches then that principal gets assigned the necessary derived roles. Then cerbos looks through the resource that the JSON payload says the user is trying to access and checks if this derived role is allowed to access it. If yes then cerbos API returns a result of effect allow.
o
oguzhan
09/05/2023, 9:34 AM
Perfect example! 😆
Playground for the example: https://play.cerbos.dev/p/dSvQh64f6f5cezuCeYFErp1vdRDuu2H5
➕ 1
j
Jesum Yip
09/05/2023, 9:36 AM@oguzhan lol!!!
3 Views