https://cerbos.dev logo
#community
Title
# community
f

Farzad Soltani

09/18/2023, 1:22 PM
I have a policy for users. I want only admins to be able to update user roles. Can someone point me in the right direction? This is my example yaml:
Copy code
---
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: user
  rules:
  - actions:
    - create
    roles:
    - admin
    - user
    effect: EFFECT_ALLOW
  - actions:
    - update
    - read
    roles:
    - user
    effect: EFFECT_ALLOW
    condition:
      match:
        expr: request.resource.id == request.principal.id
  - actions:
    - create
    - update
    - list
    - read
    roles:
    - admin
    effect: EFFECT_ALLOW
c

Charith (Cerbos)

09/18/2023, 1:29 PM
Hey, isn't it just a matter of adding the user update action to the list you already have (create, update, list, read) or am I not understanding you correctly?
f

Farzad Soltani

09/18/2023, 1:29 PM
Let me explain more.
I have an API that allows both users and admins to update users.
Users can only update their own profiles (name, surname, etc.,) Admins can update the above and also add roles to users (customer, qa, etc.,)
I want to restrict users from editing the roles that were assigned to them by admins
c

Charith (Cerbos)

09/18/2023, 1:34 PM
Isn't the "add role to user" operation an action by itself or is it lumped together into
update
?
f

Farzad Soltani

09/18/2023, 1:34 PM
They're intertwined
c

Charith (Cerbos)

09/18/2023, 1:37 PM
I'd suggest making
update
(or
update_profile
) action refer to things that users can do their own profile and introducing a new action named
admin_update
if the user is also trying to add a role to a profile. Then you can write your policy to allow only admins to do
admin_update
.
Alternatively, you can flag the fact that the request contains a role update by setting a request attribute in the Cerbos request and then checking that in your policy rule
f

Farzad Soltani

09/18/2023, 1:39 PM
Thanks for the suggestion. I'll take it into consideration. What I'm searching for more is the condition itself.
c

Charith (Cerbos)

09/18/2023, 1:42 PM
Yeah, so if you set
contains_role_update
as a request attribute, you can write:
Copy code
- actions:
    - update
    - read
    roles:
    - user
    effect: EFFECT_ALLOW
    condition:
      match:
        all:
          of:
           - expr: request.resource.id == request.principal.id
           - expr: request.resource.contains_role_update == false
f

Farzad Soltani

09/18/2023, 1:45 PM
Thanks. I'll test it out.
6 Views