Hi, I'm new, I'm learning. Watched <this recent p...
# helpn
Nicholas Tuck
05/09/2024, 3:38 PMHi, I'm new, I'm learning. Watched this recent pinned video just now and a question crossed my mind:
ā¢ In the example, the "manager" role can only approve expenses <$500, then changes it later to <$1000, this makes sense.
ā¢ How would you recommend supporting if that $ amount was variable, a setting that could be changed in the app by an admin for example? So it couldn't be hard coded in the policy?
Nicholas Tuck
05/09/2024, 3:40 PMMy initial thought so far is you'd have to send a "resource" that was really multiple resources, one part for the expense, and one part for that configuration, so maybe something like:
Copy code
resource: {
expense: ...,
expenseSettings: ...,
}Nicholas Tuck
05/09/2024, 3:40 PMAre there other ideas/best practices around something like that?
c
Charith (Cerbos)
05/09/2024, 4:03 PM
You can store the limits per user in your database and send the value as a principal attribute in the Cerbos request.
n
Nicholas Tuck
05/09/2024, 4:08 PMAhh, yes, if it was per user it may end up in or near the principle data anyways.
š
Generally though it's either gonna be mix it with the principle or the resource though, is what I'm grasping, right?
Which makes sense, just double checking my understanding.
c
Charith (Cerbos)
05/09/2024, 4:23 PM
Yes. If you have any data points that are important for making an access decision, those need to be sent to Cerbos as attributes of either the principal or the resource.
n
Nicholas Tuck
05/09/2024, 5:13 PMš Thank you!