Title
#community
a

Alexander Ramin

08/24/2022, 8:28 AM
Morning, I have a question that I may already know the answer to 😉, but would like an opinion. I have a resource -
Account
These Accounts can be of
Staff
or
Customer
Accounts. I have a scenario where I want to grant certain principals permission to Update Staff Accounts. Every other principal should not be able to update staff accounts (but may update Customer Accounts). What I tried was adding a check for the Resource Attribute in the Principal Policy. e.g.
# Principal Policy

 derivedRoles:
  name: foo
  definitions:
    - name: foo.admin
      condition:
        match: V.is_staff & R.attr.is_staff_account == true
    - name: foo.dev
      condition:
        match: V.is_staff & R.attr.is_staff_account == false
Is this just a bad idea? Would it be better to just create separate
StaffAccount
and
CustomerAccount
Resources instead of checking the resource attribute in the principal policy? Thanks a lot.
Charith (Cerbos)

Charith (Cerbos)

08/24/2022, 8:49 AM
This is a perfectly valid way of doing it. The way I would think about this is that if this is a one-off rule, do it this way with a condition. If I need to make this distinction between staff and customer accounts in multiple places, then it might be helpful to have two resource kinds just so it's made explicit to anyone looking at the policies. It's a balance between practicality and explicitness.
a

Alexander Ramin

08/24/2022, 8:50 AM
Awesome thanks