a

    Alexander Ramin

    1 month ago
    Morning, I have a question that I may already know the answer to 😉, but would like an opinion. I have a resource -
    Account
    These Accounts can be of
    Staff
    or
    Customer
    Accounts. I have a scenario where I want to grant certain principals permission to Update Staff Accounts. Every other principal should not be able to update staff accounts (but may update Customer Accounts). What I tried was adding a check for the Resource Attribute in the Principal Policy. e.g.
    # Principal Policy
    
     derivedRoles:
      name: foo
      definitions:
        - name: foo.admin
          condition:
            match: V.is_staff & R.attr.is_staff_account == true
        - name: foo.dev
          condition:
            match: V.is_staff & R.attr.is_staff_account == false
    Is this just a bad idea? Would it be better to just create separate
    StaffAccount
    and
    CustomerAccount
    Resources instead of checking the resource attribute in the principal policy? Thanks a lot.
    Charith (Cerbos)

    Charith (Cerbos)

    1 month ago
    This is a perfectly valid way of doing it. The way I would think about this is that if this is a one-off rule, do it this way with a condition. If I need to make this distinction between staff and customer accounts in multiple places, then it might be helpful to have two resource kinds just so it's made explicit to anyone looking at the policies. It's a balance between practicality and explicitness.
    a

    Alexander Ramin

    1 month ago
    Awesome thanks