https://cerbos.dev logo
#help
Title
# help
m

Manuel Dugué

10/24/2023, 1:36 PM
Hey, we are heavily using schemas throughout our application. Now we would also like to define the valid values of the principals
roles
attribute, but that does not seem to be possible. Given that we want to make sure that valid roles are
user
,
admin
,
employee
. • Would you recommend assigning those to
roles
and skip schema? • Would you recommend adding an extra
roles
field to
attr
, so that the schema can be used? ◦ What would be the original
roles
field be useful for then? ◦ that would increase the complexity of the policies moving roles logic into
condition
• Is there something I am missing?
any hints, maybe @Alex Olivier (Cerbos)?
a

Alex Olivier (Cerbos)

10/24/2023, 6:43 PM
Hey
Schema is currently just for the attributes but I can see the use case for wanting to have a list of known roles and validating against that. Will create a tkt to gauge other opinions. Currently at least one role is required for the request to be valid so you will still need to pass them in the usual place.
1
a

Andrew Haines (Cerbos)

10/25/2023, 9:01 AM
You could add the
roles
to
attr
and then create derived roles that read from there, to avoid increasing the complexity of the policies (you'd just have to swap
roles
to
derivedRoles
and wouldn't have to change the conditions.
1
5 Views