Farzad Soltani
09/18/2023, 1:22 PM---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: user
rules:
- actions:
- create
roles:
- admin
- user
effect: EFFECT_ALLOW
- actions:
- update
- read
roles:
- user
effect: EFFECT_ALLOW
condition:
match:
expr: request.resource.id == request.principal.id
- actions:
- create
- update
- list
- read
roles:
- admin
effect: EFFECT_ALLOW
Charith (Cerbos)
Farzad Soltani
09/18/2023, 1:29 PMFarzad Soltani
09/18/2023, 1:30 PMFarzad Soltani
09/18/2023, 1:30 PMFarzad Soltani
09/18/2023, 1:31 PMCharith (Cerbos)
update
?Farzad Soltani
09/18/2023, 1:34 PMCharith (Cerbos)
update
(or update_profile
) action refer to things that users can do their own profile and introducing a new action named admin_update
if the user is also trying to add a role to a profile. Then you can write your policy to allow only admins to do admin_update
.Charith (Cerbos)
Farzad Soltani
09/18/2023, 1:39 PMCharith (Cerbos)
contains_role_update
as a request attribute, you can write:
- actions:
- update
- read
roles:
- user
effect: EFFECT_ALLOW
condition:
match:
all:
of:
- expr: request.resource.id == request.principal.id
- expr: request.resource.contains_role_update == false
Farzad Soltani
09/18/2023, 1:45 PM