Hey we are heavily using schemas throughout our application Cerbos Community #help

Hey, we are heavily using schemas throughout our a...

Manuel Dugué

10/24/2023, 1:36 PM

Hey, we are heavily using schemas throughout our application. Now we would also like to define the valid values of the principals

roles

attribute, but that does not seem to be possible. Given that we want to make sure that valid roles are

user

admin

employee

. • Would you recommend assigning those to

roles

and skip schema? • Would you recommend adding an extra

roles

field to

attr

, so that the schema can be used? ◦ What would be the original

roles

field be useful for then? ◦ that would increase the complexity of the policies moving roles logic into

condition

• Is there something I am missing?

Manuel Dugué

10/24/2023, 5:49 PM

any hints, maybe @Alex Olivier (Cerbos)?

Alex Olivier (Cerbos)

10/24/2023, 6:43 PM

Hey

Alex Olivier (Cerbos)

10/24/2023, 6:44 PM

Schema is currently just for the attributes but I can see the use case for wanting to have a list of known roles and validating against that. Will create a tkt to gauge other opinions. Currently at least one role is required for the request to be valid so you will still need to pass them in the usual place.

✅ 1

Andrew Haines (Cerbos)

10/25/2023, 9:01 AM

You could add the

roles

attr

and then create derived roles that read from there, to avoid increasing the complexity of the policies (you'd just have to swap

roles

derivedRoles

and wouldn't have to change the conditions.

✅ 1

5 Views

Open in Slack

Previous Next