hi wave when using the Prisma integration how are conditions Cerbos Community #help

hi :wave:. when using the Prisma integration, how ...

Brandon Choe

02/13/2024, 9:58 PM

hi 👋. when using the Prisma integration, how are conditions based on the principal evaluated? are they done in Cerbos, then the resource-based conditions are returned as part of the query plan?

Dennis (Cerbos)

02/13/2024, 10:07 PM

Yes. Here is a quick example of a policy expression having both resource and principal attributes.

request.resource.attr.department == request.principal.attr.department

The principal attributes are known at the time of the call. Let’s say the principal department is

marketing

, so the query plan will contain an AST of

request.resource.attr.department == "marketing"

Dennis (Cerbos)

02/13/2024, 10:09 PM

It’s worth mentioning that some resource attributes might be known at the call time, so those can also be submitted in the request.

Brandon Choe

02/13/2024, 10:10 PM

what about expressions where the resource is not involved? e.g.

request.principal.attr.department == "marketing"

Dennis (Cerbos)

02/13/2024, 10:12 PM

Then the expression will be evaluated to

true,

so the query planner will return

KIND_ALWAYS_ALLOWED

Dennis (Cerbos)

02/13/2024, 10:13 PM

Assuming it is the expression of the condition with

EFFECT_ALLOW

Brandon Choe

02/13/2024, 10:14 PM

ok awesome thanks dennis!

🙌 1

Dennis (Cerbos)

02/13/2024, 10:15 PM

No worries. If you want to go into detail, I wrote a blog post.

Brandon Choe

02/13/2024, 10:16 PM

yes!! thank you

Open in Slack

Previous Next