https://cerbos.dev logo
#help
Title
# help
a

Ankit Khosla

09/24/2023, 8:20 AM
Hi all, I’ve created a derived role below named owner. It works, when resource
attr
is empty. Should return
DENY
, right? derived role
Copy code
# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/derived_roles>
apiVersion: api.cerbos.dev/v1
derivedRoles:
  name: customer_roles
  definitions:
    - name: OWNER 
      parentRoles: ["USER"] 
      condition: 
        match:
          expr: R.attr.owner.id == P.id
principal.json
Copy code
{
  "id": "12312312",
  "roles": [
    "OWNER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
resource.json
Copy code
{
  "id": "13123123",
  "kind": "order",
  "attr": {}
}
resource policy:
Copy code
- actions: ["order:read"]
      effect: EFFECT_ALLOW
      roles:
        - OWNER
      condition:
        match:
          expr: ("OWNER" in P.roles)
      name: order_owner_rule
o

oguzhan

09/24/2023, 1:22 PM
Hi! You could change the rule in the resource policy to something like this;
Copy code
- actions: ["order:read"]
  effect: EFFECT_ALLOW
  derivedRoles:
  - OWNER
  name: order_owner_rule
Then according to the your derived role policy, the principal will have the derived role
OWNER
if; 1. the principal has role
USER
(because you’ve stated
parentRoles: ["USER"]
in the rule) 2. the principal id and the
owner.id
must be equal (because the rule has this expression:
R.attr.owner.id == P.id
) In order for you to have
ALLOW
for the
order:read
, the
principal
should have a principal with
USER
role to meet the first (
1
) condition above. the
resource
should have
owner.id
set to
12312312
to meet the second (
2
) condition above. So something like this;
principal.json (modified)
Copy code
{
  "id": "12312312",
  "roles": [
    "USER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
resource.json (modified)
Copy code
{
  "id": "13123123",
  "kind": "order",
  "attr": {
    "owner": {
      "id": "12312312"
    }
  }
}
a

Ankit Khosla

09/24/2023, 1:40 PM
Hi @oguzhan, thanks for the response! I’ve used the above action you provided. But, now all permissions are
denied
even for a valid owner id.
o

oguzhan

09/24/2023, 1:47 PM
I’ve created an isolated playground example for you: https://play.cerbos.dev/p/Rojc9qKJA65103d98haTktaAPoATyJp9 It might be because I edited the message to add the following part later on, sorry about that;
Copy code
You could change the rule in the resource policy to something like this;

- actions: ["order:read"]
  effect: EFFECT_ALLOW
  derivedRoles:
  - OWNER
  name: order_owner_rule
a

Ankit Khosla

09/24/2023, 1:47 PM
No worries, I did checked your updated message!
It’s working for me thanks! @oguzhan
It seems we have to provide
USER
role along with other derived roles inside
roles: []
attribute of principal object.
Copy code
{
  "id": "123123123123",
  "roles": [
    "OWNER",
    "USER"
  ],
  "attr": {
    "storeDetails": {
      "id": "123",
      "tenantId": "1234"
    }
  }
}
o

oguzhan

09/24/2023, 1:53 PM
Only the
role: ["USER"]
is needed,
derivedRoles
are deduced from the request context according to your derivedRole policy rules. It’s not working for you this way?
a

Ankit Khosla

09/24/2023, 1:56 PM
It’s working!
🎉 1
5 Views