Hello, I remember long ago there was a suggestion to have AuxData contain arbitrary data but I also remember that suggestion was waived. My question is, did this change by now? Or are there any alternative solutions maybe?

Hi @Yusuf Sultan, It didn’t change. Here, you can find that answer by Charith. You could use global variables in this case. If you’d define a

default_visibility

(values could be

PUBLIC

,

PRIVATE

), the policy for the article could look like this;

# yaml-language-server: $schema=<https://api.cerbos.dev/latest/cerbos/policy/v1/Policy.schema.json>
# docs: <https://docs.cerbos.dev/cerbos/latest/policies/resource_policies>
apiVersion: api.cerbos.dev/v1
resourcePolicy:
  version: default
  resource: article
  rules:
    - name: visibility_present
      actions: ["read"]
      effect: EFFECT_ALLOW
      roles:
        - USER
      condition:
        match:
          all:
            of:
              - expr: has(request.resource.attr.visibility)
              - expr: request.resource.attr.visibility == "PUBLIC"
              - expr: request.resource.attr.status == "PUBLISHED"
    
    - name: visibility_not_present
      actions: ["read"]
      effect: EFFECT_ALLOW
      roles:
        - USER
      condition:
        match:
          all:
            of:
              - expr: "!has(request.resource.attr.visibility)"
              - expr: globals.default_visibility == "PUBLIC"
              - expr: request.resource.attr.status == "PUBLISHED"

If the attribute

visibility

is available in the resource attributes, decides according to the attribute provided. If

visibility

attribute is not present, it uses the

default_visibility

global variable. If you want to toy around with the idea here is the playground link: https://play.cerbos.dev/p/DFsMeI6597c2c2HXAsOLFp43QkRbZ4w6 (using exportVariables instead of globals due to the playground limitations)

Awesome! I'll look into this on my next work day