Any thoughts on how best to model something like t...
# helpp
Peter Garner
02/16/2024, 5:01 PMAny thoughts on how best to model something like that?
a
Alex Olivier (Cerbos)
02/16/2024, 5:46 PM
Hey
Alex Olivier (Cerbos)
02/16/2024, 5:48 PM
I would approach this as an attribute on the user which define each each country, which counties the user has permission to. Let me quickly put an example together
Alex Olivier (Cerbos)
02/16/2024, 5:57 PM
Here you go
Alex Olivier (Cerbos)
02/16/2024, 5:57 PM
Alex Olivier (Cerbos)
02/16/2024, 5:58 PM
It checks for a principals role for the location set in the resource
locationp
Peter Garner
02/16/2024, 9:00 PMthanks Alex! What do you think about this one for a multi-level attribute setup?
Peter Garner
02/16/2024, 9:00 PMa
Alex Olivier (Cerbos)
02/16/2024, 9:01 PM
Looks good to me. You can get as nested as you need with policies so that works great
p
Peter Garner
02/16/2024, 9:02 PMyeah I guess I was looking for the model to have attributes as a child of role
Peter Garner
02/16/2024, 9:03 PMbut this is the problem I hit with every one of these that we've looked at. Apparently we are strange. 🙂
Peter Garner
02/16/2024, 9:05 PMGreat tool though. We will evaluate it further! Very easy to explain.
👍 1
a
Alex Olivier (Cerbos)
02/16/2024, 9:05 PM
The way we think about it is the roles are high level ones from the IdP eg Admin or User. Then Cerbos (or similar) is used to for the next level of granularity where you derive an additional role based on the input attributes - we even had a special policy type called derived roles for it.
This way your IdP roles stay simple - and your attribute level ones are dynamic based on the specific request
3 Views