Hi, we are just getting started with Cerbos and I ...
# helpi
inbar dor
07/07/2024, 6:27 AMHi, we are just getting started with Cerbos and I have a question
We are saving our custom role as a condition in the resource policy and and we want to update the policy each change by calculating it every change (we are using the condition to check the custom role and the relevant tenant).
I'm wondering if there is a way to save the policy in multiple files by roles and by that we will be able to update only the relevant role's files and not the whole policy.
d
Dennis (Cerbos)
07/08/2024, 5:07 AM
Can you please give an example of the condition for a custom role?
I’m wondering if there is a way to save the policy in multiple files by roles…You can create a derived role for each of your custom roles.
i
inbar dor
07/08/2024, 1:49 PMI meant that we are using the resource base approach for example this is the resource policy:
Copy code
apiVersion: api.cerbos.dev/v1
resourcePolicy:
version: default
resource: call
rules:
- actions:
- "view"
effect: EFFECT_ALLOW
roles:
- GLOBAL_ADMIN
- CUSTOMER_ADMIN
- CUSTOM_ROLE_1
condition:
match:
all:
of:
- any:
of:
- expr: R.attr.groups.hasIntersection(P.attr.scoped_roles["GLOBAL_ADMIN"].groups)
- expr: R.attr.groups.hasIntersection(P.attr.scoped_roles["CUSTOM_ROLE_1"].groups)d
Dennis (Cerbos)
07/09/2024, 12:57 AM
If you have to repeat this expression for each custom role:
R.attr.groups.hasIntersection(P.attr.scoped_roles["CUSTOM_ROLE_1"].groups)R.attr.groups.hasIntersection(P.attr.scoped_roles["CUSTOM_ROLE_2"].groups)....R.attr.groups.hasIntersection(P.attr.scoped_roles["CUSTOM_ROLE_N"].groups)R.attr.groups.hasIntersection(P.attr.scoped_roles[P.attr.custom_role].groups)P.attr.custom_roleresourcePolicy -> rules -> rolesP.attr.custom_rolesP.attr.custom_roles.exists(custom_role, R.attr.groups.hasIntersection(P.attr.scoped_roles[custom_role].groups))i
inbar dor
07/09/2024, 6:50 AMthanks we'll try it
8 Views