Cerbos is the open core, language-agnostic, scalable authorization solution that makes user permissions and authorization simple to implement and manage.

Cerbos Community

Hi, is there a recommended way to enforce *all* roles are present, instead of it being a conditional OR?

e.g.

```      roles:
        - USER
        - MANAGER```
Make it so that the principal must have roles "USER" AND "MANAGER" instead of "USER" OR "MANAGER"

Thanks

Hi Will,
It is a workaround. The idea is to check the presence of both roles in the condition expression.
```  roles:
        - USER
        - MANAGER
  condition:
     match:
        expr: ["USER", "MANAGER"].isSubset(P.roles)```
If you want to do the same with derived roles, use `runtime.effectiveDerivedRoles`.