I’d like to ask you about a rule I’ve been working on a booking software. Each booking has different states. I’ve an action and different results

const hasAccess: boolean = await cerbos.isAllowed(request);
// if the booking.status is CONFIRMED -> true
// if the booking.status is AMENDED -> false

The policy rule is:

- actions: ["UPDATE"]
      effect: EFFECT_ALLOW
      derivedRoles:
        - BOOKING_Role1
        - BOOKING_Role2
      condition:
        match:
          any:
            of:
              - expr: request.resource.attr.status == "INITIALIZED"
              - expr: request.resource.attr.status == "BOOKED"
              - expr: request.resource.attr.status == "PENDING"
              - expr: request.resource.attr.status == "CONFIRMED"
              - expr: request.resource.attr.status == "AMENDED"

Hi, what are the definitions of your derived roles (

BOOKING_Role1

and

BOOKING_Role2

)?

These roles are dummy like names. I’m not able to share the actual implementation

Well, there are many reasons for getting a DENY from Cerbos. It's difficult to tell you what's happening without more information. If you can't share anything, I suggest you write a Cerbos test for this case and run it with

--verbose

flag to get the execution trace.

I’ve been waiting for a response from my boss. I’m not a decision maker which details could be shared.

I understand. Definitely don't share anything sensitive. But it's also impossible for me to tell you what's happening without looking at the request, the policy and the derived roles definitions. It could be many things. Some of the common cases are unsatisfied derived roles, a typo in the request or an explicit DENY rule that takes precedence. As I mentioned above, you can use the Cerbos test framework to exercise this case and debug it that way or you can use the REPL to run the rule with test data and see what happens.

The problem was resolved. Thank you very much for the support.