Hi - I'm wondering if it's possible to assign roles with Cerbos. Our roles are very relational, so there's no such thing as a user just being an 'admin' or a 'user'. In our multi-tenant infrastructure, we have client organizations that have projects, and the organizations can subscribe to our applications per project. The organizations can assign their users different roles per project/application. So, OrgA may have Project1 with App1 and Project2 with App1, and UserA is an admin of Project1/App1, but a viewer of Project2 App1.

Hey there - Cerbos is the decision point based on your role assignments which generally sit in your IdP or own application database and passed to Cerbos at request time. We have an example policy which has the per project/workspace role assignment as attributes on the principal object. This is just a map of data containing the assignments and then the policy uses this - along with which workspace the resource belongs to - to make the decision https://play.cerbos.dev/p/IJxlK6131f642ND65F1EhPmiT18Ap1A5

Thanks! So in that example, the work of populating the user attributes, relating the user to roles via particular workspaces, is handled by the IdP, correct?

Typically its the IdP, but it is being passed by whichever upstream system is calling Cerbos

Got it -- thanks so much!