I have a policy for users. I want only admins to be able to update user roles. Can someone point me in the right direction? This is my example yaml:

---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: user
  rules:
  - actions:
    - create
    roles:
    - admin
    - user
    effect: EFFECT_ALLOW
  - actions:
    - update
    - read
    roles:
    - user
    effect: EFFECT_ALLOW
    condition:
      match:
        expr: request.resource.id == request.principal.id
  - actions:
    - create
    - update
    - list
    - read
    roles:
    - admin
    effect: EFFECT_ALLOW

Hey, isn't it just a matter of adding the user update action to the list you already have (create, update, list, read) or am I not understanding you correctly?

Let me explain more.

Isn't the "add role to user" operation an action by itself or is it lumped together into

update

?

They're intertwined

I'd suggest making

update

(or

update_profile

) action refer to things that users can do their own profile and introducing a new action named

admin_update

if the user is also trying to add a role to a profile. Then you can write your policy to allow only admins to do

admin_update

.

Thanks for the suggestion. I'll take it into consideration. What I'm searching for more is the condition itself.

Yeah, so if you set

contains_role_update

as a request attribute, you can write:

- actions:
    - update
    - read
    roles:
    - user
    effect: EFFECT_ALLOW
    condition:
      match:
        all:
          of:
           - expr: request.resource.id == request.principal.id
           - expr: request.resource.contains_role_update == false

Thanks. I'll test it out.