Morning, I have a question that I may already know the answer to 😉, but would like an opinion. I have a resource -

Account

These Accounts can be of

Staff

or

Customer

Accounts. I have a scenario where I want to grant certain principals permission to Update Staff Accounts. Every other principal should not be able to update staff accounts (but may update Customer Accounts). What I tried was adding a check for the Resource Attribute in the Principal Policy. e.g.

# Principal Policy

 derivedRoles:
  name: foo
  definitions:
    - name: foo.admin
      condition:
        match: V.is_staff & R.attr.is_staff_account == true
    - name: foo.dev
      condition:
        match: V.is_staff & R.attr.is_staff_account == false

Is this just a bad idea? Would it be better to just create separate

StaffAccount

and

CustomerAccount

Resources instead of checking the resource attribute in the principal policy? Thanks a lot.

This is a perfectly valid way of doing it. The way I would think about this is that if this is a one-off rule, do it this way with a condition. If I need to make this distinction between staff and customer accounts in multiple places, then it might be helpful to have two resource kinds just so it's made explicit to anyone looking at the policies. It's a balance between practicality and explicitness.

Awesome thanks