Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hello there(…) :slightly_smiling_face:
We are considering creating an authorization mechanism in our application using Cerbos.
part of the policy we characterized defines that a user has a permission for a certain resource (A), if he has said permission to a resource (B) that contains it (A) i.e. its parent, grand-parent and so on.

As far as i understood from the documentation, there is a way for defining such hierarchy for principals (derived roles), but the question is if there is a proper way of doing that for resources as well? for example: a user has “write” access to a file if he has “write” access to the folder containing the file?

thanks very much in advanced :slightly_smiling_face:

Hi. Cerbos has support for parent-child relationships for resource kinds, which we call <https://docs.cerbos.dev/cerbos/latest/policies/scoped_policies.html|scoped policies>. However, I think your question is more about relationships between particular instances of a resource. One way to model that would be using the <https://docs.cerbos.dev/cerbos/latest/policies/conditions.html#hierarchies|hierarchy functions>. Basically, you need to tell Cerbos about the relationships (e.g. principal has access to tree `a.b` and the position of the resource in the tree is `a.b.c.d`) and the policy rules can be written  using the hierarchy functions to determine whether that access is allowed.

Awesome… thanks… I’ll dive into it :slightly_smiling_face: