These Accounts can be of
Accounts. I have a scenario where I want to grant certain principals permission to Update Staff Accounts. Every other principal should not be able to update staff accounts (but may update Customer Accounts). What I tried was adding a check for the Resource Attribute in the Principal Policy. e.g.
Is this just a bad idea? Would it be better to just create separate
# Principal Policy derivedRoles: name: foo definitions: - name: foo.admin condition: match: V.is_staff & R.attr.is_staff_account == true - name: foo.dev condition: match: V.is_staff & R.attr.is_staff_account == false
Resources instead of checking the resource attribute in the principal policy? Thanks a lot.