Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi all, I am building headless ecommerce and would like to allow the store manager  to create custom permission assigned to their staff, which are based on predefined resources( order, inventory,sales). I am planning to have a resource policy per user, created by the API. Do you think it's a good approach? or is there any other approach you would like to suggest? Thanks!

This may be helpful <https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html|https://docs.cerbos.dev/cerbos/latest/policies/best_practices.html>

That seems like a good approach. You may wish to use <https://docs.cerbos.dev/cerbos/latest/policies/scoped_policies.html|scoped policies> to have a set of "standard" permissions (in the root scope) and then an additional set of permissions on top of that in a `custom` scope or similar. You could model it that the root scope policies grant all the permissions within the store, but the custom scope ones have deny rules to narrow the permissions of the staff to those granted by the store manager. An example of this sort of scoped setup is <https://github.com/cerbos/demo-multitenant-saas|here>.