Rounak Datta
08/17/2022, 12:44 PMandroid
), how does one achieve that as well?Charith (Cerbos)
08/17/2022, 1:17 PM- actions: ['*']
effect: EFFECT_ALLOW
roles: ["admin"]
condition:
match:
expr: "hierarchy(request.principal.attr.projectScope).ancestorOf(hierarchy(request.resource.attr.projectScope))"
If your user has the admin
role and a projectScope
attribute of project.x
, and if the resource has a projectScope
attribute of `project.x.component.a`then access would be granted. But if the resource has a projectScope
of project.a.component.c
it won't be allowed.Rounak Datta
08/17/2022, 2:41 PMViet Au
08/17/2022, 3:52 PMCharith (Cerbos)
08/17/2022, 4:03 PMprojectScope
I used in my example is not related to scope
in scoped policies. It's just bad naming on my part. Sorry about the confusion. The example is demonstrating how you can store relationships between particular users and resources in your system and write Cerbos policies to make access decisions based on those.