Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Is anyone able to help with building a condition for the below please?

Resource has multiple tags:
```id: near-miss#1
kind: near-miss:object
attr:
  org: org1
  address: address1 
  tags: ["tag2", "tag4"]```
Principal is a member of multiple organizations and can be assigned roles for different tags:
```id: user#1
roles:
  - user
attr:
  organizations:
    org1:
      tags:
        tag1: ["siteSafety"]
        tag2: ["roleA", "roleB", "roleC"]
        tag4: ["roleA", "siteSafety"]
    org2:
      tags:
        tag3: ["siteSafety"]```
The above Principal is in the `siteSafety` role for tags `1` and `4`.

We need a condition that will check the Principal org tags, matching the Resource org (`P.attr.organizations[<http://R.attr.org|R.attr.org>].tags`), and then check that there is a matching Principal tag with the `siteSafety` role.

e.g. From the above example, the Resource is for org 1 and has tags 1 and 4. The Principal has an org1 attribute with tags 1, 2, & 4. tag4 has a siteSafety role so the result is ALLOW.

Hey just dropped you a DM :slightly_smiling_face: