Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Any reason why we cannot use resource scope directly in a condition?

```hierarchy(request.principal.attr.tenantId)
  .overlaps(hierarchy(request.resource.scope))```
&gt; Invalid expression `hierarchy(request.principal.attr.tenantId).overlaps(hierarchy(request.resource.scope))`: [undefined field 'scope'] (invalid expression)
The hierarchy CEL examples in the docs show scope in the attributes object, but then you have to duplicate the scope:

```"principal": {
  "id": "john",
  "roles": ["employee"],
  "attr": {
    "tenantId": "tenant1"
  }
},
"resource": {
  "kind": "leave_request",
  "scope": "tenant1.foo.bar",
  "attr": {
    "scope": "tenant1.foo.bar"
  }
}```

Thanks for bringing it up. That's an oversight on our part. Will look into fixing it soon.

Cerbos 0.38.1 was released yesterday and includes these changes.