https://cerbos.dev logo
Join Slack
Powered by
Hi all, I’ve created a derived role below named ow...
# help
a
Hi all, I’ve created a derived role below named owner. It works, when resource 
attr
is empty. Should return 
DENY
, right? derived role
Copy code
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: customer_roles
  definitions:
    - name: OWNER 
      parentRoles: ["USER"] 
      condition: 
        match:
          expr: R.attr.owner.id == P.id
principal.json
Copy code
{
  "id": "12312312",
  "roles": [
    "OWNER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
resource.json
Copy code
{
  "id": "13123123",
  "kind": "order",
  "attr": {}
}
resource policy:
Copy code
- actions: ["order:read"]
      effect: EFFECT_ALLOW
      roles:
        - OWNER
      condition:
        match:
          expr: ("OWNER" in P.roles)
      name: order_owner_rule
o
Hi! You could change the rule in the resource policy to something like this;
Copy code
- actions: ["order:read"]
  effect: EFFECT_ALLOW
  derivedRoles:
  - OWNER
  name: order_owner_rule
Then according to the your derived role policy, the principal will have the derived role 
OWNER
if; 1. the principal has role 
USER
(because you’ve stated 
parentRoles: ["USER"]
in the rule) 2. the principal id and the 
owner.id
must be equal (because the rule has this expression: 
R.attr.owner.id == P.id
) In order for you to have 
ALLOW
for the 
order:read
, the 
principal
should have a principal with 
USER
role to meet the first (
1
) condition above. the 
resource
should have 
owner.id
set to 
12312312
to meet the second (
2
) condition above. So something like this; 
principal.json (modified)
Copy code
{
  "id": "12312312",
  "roles": [
    "USER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
resource.json (modified)
Copy code
{
  "id": "13123123",
  "kind": "order",
  "attr": {
    "owner": {
      "id": "12312312"
    }
  }
}
a
Hi @oguzhan, thanks for the response! I’ve used the above action you provided. But, now all permissions are 
denied
even for a valid owner id.
o
I’ve created an isolated playground example for you: https://play.cerbos.dev/p/Rojc9qKJA65103d98haTktaAPoATyJp9 It might be because I edited the message to add the following part later on, sorry about that;
Copy code
You could change the rule in the resource policy to something like this;

- actions: ["order:read"]
  effect: EFFECT_ALLOW
  derivedRoles:
  - OWNER
  name: order_owner_rule
a
No worries, I did checked your updated message!
It’s working for me thanks! @oguzhan
It seems we have to provide 
USER
role along with other derived roles inside 
roles: []
attribute of principal object.
Copy code
{
  "id": "123123123123",
  "roles": [
    "OWNER",
    "USER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
o
Only the 
role: ["USER"]
is needed, 
derivedRoles
are deduced from the request context according to your derivedRole policy rules. It’s not working for you this way?
a
It’s working!
🎉 1
6 Views
Open in Slack
PreviousNext
Powered by