), how does one achieve that as well?
If your user has the
- actions: ['*'] effect: EFFECT_ALLOW roles: ["admin"] condition: match: expr: "hierarchy(request.principal.attr.projectScope).ancestorOf(hierarchy(request.resource.attr.projectScope))"
role and a
, and if the resource has a
attribute of project.x.component.athen access would be granted. But if the resource has a
it won't be allowed.
I used in my example is not related to
in scoped policies. It's just bad naming on my part. Sorry about the confusion. The example is demonstrating how you can store relationships between particular users and resources in your system and write Cerbos policies to make access decisions based on those.